Fake Interpol Notices Used to Target Small Businesses With Ransomware
What happened
Cybercriminals are targeting small businesses with phishing emails that impersonate Interpol, using fake criminal investigation notices to trick employees into downloading ransomware.
According to cybersecurity company Bitdefender, the campaign has affected organizations across the United States, Europe, Asia, and the Middle East, spanning industries such as pharmaceuticals, food, agriculture, technology, media, and legal services.
The emails claim that Interpol has obtained evidence linking the recipient’s organization to suspicious or criminal activity. Victims are instructed to download a password-protected archive hosted on Proton Drive to review the supposed evidence. Once opened, the archive delivers ransomware disguised as a video file. The malware encrypts local systems and instructs victims to contact the attackers through the Tox messaging platform to negotiate payment.
Bitdefender security analyst Alina Bizga said the ransomware itself is relatively simple, lacking many of the advanced capabilities associated with major ransomware groups. However, the campaign demonstrates that convincing social engineering alone can make even basic malware highly effective.
Who is affected
The campaign primarily targets small businesses that may not have dedicated cybersecurity teams or mature security programs. Organizations across multiple industries have already been identified as targets.
Bizga also noted that many small businesses mistakenly believe they are too small to attract ransomware operators. Instead, attackers increasingly view these organizations as attractive targets because they often have limited security budgets, fewer technical resources, and employees who may be more likely to trust messages that appear to come from well-known international organizations.
Another notable aspect of the campaign is that attackers do not demand a fixed ransom upfront. Instead, they negotiate payments after victims make contact, allowing them to tailor demands based on the organization’s perceived ability to pay.
Why CISOs should care
This campaign highlights that ransomware attacks no longer require sophisticated malware to succeed. A well-crafted phishing email that creates urgency and appears legitimate can bypass human judgment and lead to significant business disruption.
For CISOs, the incident reinforces the importance of strengthening defenses against social engineering, particularly for organizations with distributed workforces or limited cybersecurity resources. It also serves as a reminder that every organization, regardless of size, remains a potential ransomware target.
3 practical actions
Train employees to verify unexpected legal, regulatory, or law enforcement communications before opening attachments or downloading files.
Strengthen email security controls and monitor for phishing attempts that impersonate trusted organizations.
Regularly back up critical systems, test recovery procedures, and maintain an incident response plan to reduce the impact of ransomware.

