Small businesses across the United States, Europe, Asia, and the Middle East have been targeted with phishing emails impersonating the “Interpol Cybercrime Investigation Unit” and claiming the recipient is tied to an investigation. The messages use fear-based social engineering to push victims to a Proton Drive link hosting a password-protected archive, which contains multiple nested archives and a custom ransomware payload disguised as a video file. Bitdefender said the campaign has hit organizations in food and agriculture, legal services, pharmaceuticals, media, technology, and finance.
Once launched, the malware encrypts files on available drives and drops a ransom note directing victims to contact the attackers through Tox instead of a leak site or negotiation portal. Researchers found no evidence of data exfiltration and said the operation appears to be the work of a less sophisticated actor rather than an established ransomware group. Bitdefender also identified a major implementation flaw: the decryption routine and key are embedded in the payload, allowing victims to recover files without paying, while defenders were urged to isolate infected systems, scan endpoints, maintain backups, train employees, and enable visible Windows file extensions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Bitdefender reported that the custom ransomware contains an implementation flaw: its decryption functionality and key are embedded in the malware itself. This allows victims to recover encrypted files without paying the ransom.
Bitdefender Antispam Lab reported a phishing campaign targeting small businesses with emails impersonating an Interpol cybercrime investigation unit. The messages use Proton Drive-hosted, password-protected archives and nested files to deliver custom ransomware disguised as a video file.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcedarkreading.com
Open sourcehackread.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.