An emerging ransomware campaign is targeting small businesses across multiple regions with fake Interpol notices designed to trick victims into downloading malware disguised as evidence of alleged criminal activity.
The campaign has so far has targeted businesses in multiple sectors, including pharmaceuticals, food, agriculture, technology, media, and legal services in the US, Europe, Asia, and the Middle East.
Small Business Focus
Besides its focus on small businesses, the campaign is notable because it highlights how attackers no longer need sophisticated ransomware or the resources of a major cybercrime operation to launch disruptive attacks, Bitdefender said in a report this week. “Even relatively simple malware can become a serious threat when paired with convincing social engineering,” Bitdefender security analyst Alina Bizga wrote.
According to Bitdefender, the attack begins with phishing emails that impersonate Interpol and claim the recipient’s organization is under investigation for suspicious activity. The email informs the recipients that Interpol investigators have obtained information and video evidence of criminal activity tied to their organization. As with other well-crafted social engineering lures, the fake Interpol message conveys a sense of urgency related to suspicious or fraudulent activity.
The messages instruct victims to download a password-protected archive hosted on Proton Drive under the pretense of reviewing supporting evidence. If opened, the archive delivers a ransomware payload disguised as a benign video file that encrypts local systems and prompts victims to contact the attackers via the Tox peer-to-peer messaging platform to negotiate payment.
Bitdefender’s analysis of the payload revealed it to be a rudimentary but effective ransomware sample. “The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations,” Bizga wrote.
In comments to Dark Reading, Bizga says one interesting — and increasingly common — aspect of the campaign is the absence of a fixed ransom demand. Instead, it’s only when victim organizations contact the attackers via Tox that ransom negotiations begin. “That approach mirrors a tactic increasingly used across the ransomware ecosystem,” Bizga says. “Rather than demanding the same amount from every victim, attackers often make contact first and tailor their ransom demands to the size of the organization they’ve compromised and its perceived ability to pay.”
In this case, many of the targeted organizations appear to be small businesses, most of which likely operate under the assumption that they are unlikely to be of much interest to ransomware operators. “One of the biggest misconceptions among small businesses is that they’re ‘too small’ to attract cybercriminals,” Bizga notes. “Campaigns like this prove that’s simply not true.”
An Easy Target?
Data from CrowdStrike’s State of SMB Cybersecurity Survey showed that smaller organizations got hit disproportionately more frequently in cyberattacks than bigger ones: 29% of SMBs with fewer than 25 employees in the survey were hit in ransomware attacks. While 94% of SMB leaders admitted to being very aware of cyber threats, two-thirds said a lack of budget prevented them from making any security upgrades. In its annual threat report, Sophos said ransomware accounted for 70% of the cyber incidents the company investigated at small business accounts and over 90% at midsize organizations.
And even these numbers might not tell the whole story. Recent Bitdefender research showed 55% of organizations admitted they don’t report security breaches even when they know they should, according to Bizga. “This lack of reporting makes it harder for the broader security community to understand the true scale of attacks and gives threat actors more opportunities to reuse successful tactics against other organizations.”
Small businesses are especially vulnerable because many lack dedicated IT or cybersecurity teams, formal incident response procedures, or regular security awareness training. “At the same time, compliance requirements continue to evolve across many industries,” Bizga says, “making it easier for employees to believe that an unexpected investigation or regulatory notice could be legitimate.”

No responses yet