A recent cyberattack campaign targeting small businesses uses emails claiming to be from the “Interpol Cybercrime Investigation Unit” to trick victims into executing a custom ransomware payload, Bitdefender reported Wednesday.The campaign has a fatal flaw, however, Bitdefender Senior Security Researcher Viorel Vrabie told SC Media: “the decryption functionality and the required key are embedded directly in the malware, meaning it is technically possible to recover encrypted files without negotiating with the attackers,” Vrabie said.The attackers rely on fear tactics and social engineering, rather than sophisticated malware, to extort small businesses for money, the researchers concluded. The Bitdefender Antispam team has observed these emails targeting businesses in the United States, Europe, Asia and the Middle East across a wide variety of industries including technology, finance, legal services, food and agriculture, pharmaceuticals and media.The attacks start with an email impersonating Interpol claiming that an “emergency response” is needed to assist with an investigation into possible compliance and security issues within the organization. It includes a link to a Proton Drive where the victim is encouraged to review evidence related to the “investigation.”The Proton Drive contains a password-protected archive, with the password included in the email. Within multiple nested archives is the ransomware payload disguised as a video file. When the victim attempts to view the video, the ransomware is deployed, encrypting files across available drives and dropping a ransom note.Vrabie told SC Media the custom ransomware only encrypts files, with no evidence of data exfiltration activity. Vrabie added that the malware was likely constructed using “publicly available code, templates, tutorials, or AI-assisted coding,” although no obvious signs of AI assistance were present.The ransom note directs the victim to contact attackers via Tox chat, threatening that performing a malware scan will “complicate the recovery process.” However, as the researchers noted, the decryption key is left hard coded with the payload, and the files can be recovered without contacting the attackers or paying a ransom.The researchers assessed that the campaign was likely the work of a less sophisticated group or individual rather than an established ransomware group, with fearmongering tactics doing most of the “heavy lifting.”“The campaign highlights an important trend: cybercriminals no longer need the resources or expertise of a large ransomware gang to launch disruptive attacks. Even relatively simple malware can become a serious threat when paired with convincing social engineering,” the researchers wrote.Bitdefender recommended organizations that received this email and opened the file disconnect the affected device from the network, run a full security scan, notify their IT team or managed service provider and report the incident to both their email provider and a national cybersecurity agency.Organizations should also train employees to recognize fear and urgency tactics used by cybercriminals, verify all unsolicited messages before taking action and treat password-protected archives with suspicion, Bitdefender said. Keeping secure data backups to prevent data loss from ransomware incidents and configuring Windows devices to display file extensions, making it easier to spot disguised payloads, are also recommended prevention measures.Previous incidents show how errors made by ransomware threat actors can leave organizations empty-handed, even when a ransom is paid. In April, Check Point Research discovered that the VECT ransomware-as-a-service (RaaS) group’s latest ransomware version destroyed files larger than 128 KB due to a faulty encryption process, leaving them unrecoverable. Additionally, Coveware reported in February that Nitrogen’s VMware ESXi ransomware variant overwrote its public key, making decryption impossible.
Ransomware
‘Interpol’ emails spread custom ransomware with decryption key left inside

(Credit: visuals6x – stock.adobe.com)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



