Cybersecurity researchers at Bitdefender have uncovered a widespread and ongoing phishing campaign targeting small businesses across the globe. Threat actors are impersonating the "Cybercrime Investigation Unit" at Interpol to lend legitimacy to their attacks. The campaign uses urgent and intimidating language to trick recipients into believing they are under investigation for fraudulent activity. Victims are directed to download supposed 'evidence' from a password-protected archive hosted on Proton Drive. This file, however, is a custom ransomware payload that encrypts the user's data. While the social engineering is effective, the ransomware itself is considered unsophisticated and contains a critical flaw: the decryption key is embedded within the malware, making recovery possible without paying the ransom.
The attack is a classic example of phishing combined with authority impersonation. It targets a wide range of sectors, including technology, finance, and legal services, in multiple regions like the US, Europe, and Asia. The attack chain is as follows:
This campaign leverages the trusted names of Interpol and Proton Drive to bypass both technical defenses and human suspicion.
The attack relies heavily on social engineering (T1566.002 - Spearphishing Link) to achieve its goals. The use of a legitimate cloud storage service, Proton Drive, helps the attackers evade email security gateways that might block direct attachments or links to known malicious domains. The password-protected archive further obfuscates the payload from automated scanning.
The ransomware itself is described as custom-built and unsophisticated. The most significant technical detail discovered by Bitdefender is that the malware contains its own decryption routine and the corresponding key. This is a major operational security failure by the attackers. It means that with proper reverse engineering of the malware sample, a decryption tool can be created to recover the files for free. This suggests the threat actor is likely amateur or is using a poorly constructed public-source ransomware kit.
The final stage of the attack, communication via Tox for ransom negotiation, is a common tactic for smaller or less-established cybercrime groups, as it provides anonymity without the need to maintain complex dark web infrastructure.
For a small business without dedicated IT security staff, this attack can be devastating. The impact includes:
However, the flaw in the ransomware significantly reduces the long-term impact for victims who can obtain a decrypted version or a recovery tool from security vendors. The primary risk is the initial business disruption and the cost of incident response and recovery.
No specific file hashes, IP addresses, or domains were provided in the source articles.
Security teams may want to hunt for the following patterns to detect related activity:
drive.proton.meevidence.zip, video_evidence.exetox.chatThe most effective defense is training users to identify social engineering tactics like authority impersonation and to be suspicious of unsolicited emails demanding urgent action.
Modern endpoint protection can detect and block the execution of the ransomware payload based on its behavior, even if the signature is unknown.
Mapped D3FEND Techniques:
Using application allowlisting would prevent the custom, unauthorized ransomware executable from running in the first place.
Mapped D3FEND Techniques:
Implement an advanced email security solution that performs deep URL analysis on all incoming messages. Specifically for this campaign, the system should be configured to flag emails containing links to legitimate file-sharing services like Proton Drive, especially when the email body also contains password-like strings. While the domain itself is legitimate, the context is highly suspicious. The security gateway should rewrite these URLs to pass them through a remote browser isolation (RBI) service or a sandbox environment upon click, allowing for real-time analysis of the linked content before it reaches the user's endpoint. This prevents the user from directly downloading the malicious archive and provides a critical layer of defense against payload delivery.
Utilize endpoint protection (EPP/EDR) with robust behavioral analysis and file content inspection. Since the ransomware is custom, signature-based detection may fail. The EDR should be configured to monitor for processes that perform rapid file encryption. Create a rule to alert or block any process that enumerates user directories and begins overwriting files with new extensions. Furthermore, if a user downloads the archive, the EDR's on-access scanner should be able to inspect the contents. Even if encrypted, the presence of a Windows executable within an archive from an email link should be flagged as high-risk. This provides a last line of defense on the endpoint if the user is successfully phished.
Bitdefender Antispam Lab publishes research on the Interpol impersonation campaign.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.