Skip to content

Ransomware Campaign Disguises Itself as Interpol Investigation

The point: A new ransomware campaign uses forged Interpol emails as an entry point and negotiates ransom payments individually rather than demanding fixed sums.

Cybercriminals are sending deceptively authentic emails in the name of Interpol to small and medium-sized enterprises and distributing ransomware through them. The ransom is negotiated individually via messenger.

Cybercriminals are currently conducting an attack campaign in which they send emails that appear to originate from Interpol. The recipients — predominantly small and medium-sized enterprises — are informed that evidence material relating to suspicious activities is available. The email contains a link to a password-protected archive with alleged documents and video files; the password is supplied to suggest authenticity.

In reality, malware is hidden behind the download. The executable file is disguised as a video file and, when opened, initiates an encryption process that accesses local and network-bound drives. According to Bitdefender’s analysis, the malware does not belong to any known ransomware family and appears to have been developed specifically for this campaign. The technical implementation is comparatively simple, but sufficient to encrypt systems and cause considerable damage.

The procedure following a successful infection differs from classic ransomware attacks: instead of immediately presenting a ransom demand, the perpetrators ask the affected company to make contact via the Tox messenger. The payment amount is then negotiated individually — adjusted to the company size, the value of the encrypted data, and the presumed ability to pay. Affected companies are from food production, agriculture, law firms, pharmaceutical industry, media, technology, and financial services in Europe, Asia, the Middle East, and the USA.

Small companies are particularly at risk because they often lack dedicated IT security departments or clear processes for verifying unusual requests. These gaps make them more susceptible to social engineering attacks. The scenario demonstrates that convincing deception attempts can cause at least as much damage as technically sophisticated malware.

If malware infection is suspected, affected companies should immediately disconnect the infected device from the network, conduct a complete security review, and inform administrators or external IT service providers. Passwords should be changed as a precaution and the network monitored for unusual activity. In general, it is recommended to critically examine unsolicited incoming emails with download links or password-protected attachments — regardless of the stated sender. Multi-factor authentication, regular data backups, timely security updates, and employee training on current fraud schemes reduce the success rate of such attacks.


Source: www.it-daily.net · Published 3 July 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.2.

Share on: