Think your small business is too small to be targeted by ransomware?
That’s precisely the assumption cybercriminals hope you’ll make.
Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials.
The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware.
Key takeaways
- Researchers at Bitdefender Antispam Lab have identified a malicious campaign impersonating Interpol
- The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive.
- Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware.
- The ransomware appears to be a custom-built payload rather than a known ransomware family.
- The operation targeted organizations across Europe, Asia, the Middle East, and the United States.
- Small businesses are particularly at risk because many lack dedicated IT and cybersecurity resources.
How the attack works
The emails arrive with an urgent tone, claiming to be from Interpol’s cybercrime investigation unit, which is conducting a compliance or security review.

Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible.
The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.
To review the alleged evidence, recipients are directed to a Proton Drive link containing a password-protected archive. The password is conveniently included in the email itself.
Once opened, the archive appears to contain a video file documenting the supposed activities under investigation.
Instead, the victim is greeted with malware.
The attackers use a familiar trick: disguising an executable as a video file in the hope that recipients won’t notice the difference before opening it.
The malware isn’t sophisticated. The social engineering is.
According to researchers Viorel Vrabie and Andrei Mogage, the fake video contains a ransomware payload hidden within multiple archive layers.
Once executed, the malware seeks to encrypt files across available drives and presents victims with a ransom message:
“Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.
Do not delete any files or change their locations. Do not scan your computer, as this may complicate the recovery process.
We are available only through Tox.”
One interesting detail is what the ransom note doesn’t say:
Unlike older ransomware attacks that immediately demanded a fixed payment amount, this note doesn’t specify a ransom at all. Instead, victims are instructed to contact the attackers through a Tox chat channel.
This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact. The final ransom may depend on the size of the organization, the perceived value of its data, and its ability to pay.
The researchers also found that the malware itself is relatively simple. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.
Bitdefender researchers observed the campaign targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.
The campaign was also geographically diverse, with targets identified across Europe, Asia, the Middle East, and the United States.
Is this attack linked to a major ransomware gang?
In fact, the malware seems much simpler than the tools typically used in major ransomware operations. Beyond the relatively basic code observed by our researchers, another notable difference is how victims are instructed to make contact.
Most modern ransomware-as-a-service (RaaS) groups direct victims to a dedicated negotiation portal hosted on the dark web, where they can exchange messages, receive payment instructions, and negotiate the ransom.
In this campaign, however, the attackers simply provide a Tox chat ID. There is no dedicated negotiation portal or victim site, which is another indication that this is likely a custom-built operation rather than the work of an established ransomware group.
This suggests the malware may have been custom-built or assembled using publicly available code and tools.
The campaign highlights an important trend: cybercriminals no longer need the resources or expertise of a large ransomware gang to launch disruptive attacks. Even relatively simple malware can become a serious threat when paired with convincing social engineering.
In this case, the fake investigation email does much of the heavy lifting. The attackers rely on fear, urgency, and authority to persuade victims to launch the malware themselves.
Why small businesses remain attractive targets
Small businesses are often viewed as easier targets than large enterprises.
Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training.
When an alarming email arrives claiming to involve investigators, compliance issues, or evidence of misconduct, there may be no formal process for verifying the claims before someone clicks.
Attackers understand this reality and design campaigns specifically to exploit it.
What should you do if you opened the file?
If you downloaded and opened a file like the one used in this campaign, don’t panic, but don’t ignore it either. Acting quickly can make a big difference.
Disconnect the affected device from the network. If ransomware or other malware is running, taking the computer offline may help prevent it from communicating with attacker-controlled servers or spreading to shared drives and other devices.
Run a full security scan. Use a trusted security solution, such as Bitdefender Ultimate Small Business Security, to perform a complete scan of the affected device. Even if nothing appears unusual, remember that some threats are designed to remain hidden until they’ve completed their job.
Notify your IT administrator or managed service provider, where possible. If you’re part of a business, don’t try to deal with the incident alone. The sooner your IT team is aware, the faster they can isolate affected systems and prevent additional damage.
Inform your team about the attack. Awareness can also make a huge difference in protecting your business, devices, data, and reputation.
Change important passwords from a clean device. If there’s any chance the malware also harvested credentials, update passwords for your business email, cloud storage, financial accounts, and collaboration platforms. Use strong, unique passwords and enable multi-factor authentication wherever it’s available.
Look for signs of suspicious activity. Watch for unexpected login alerts, password reset emails, unfamiliar transactions, or files that suddenly become inaccessible. Continue monitoring your accounts over the following days, as some attacks don’t reveal their full impact immediately.
Report the incident. Report the phishing email through your email provider’s “Report phishing” feature and notify the organization being impersonated when appropriate. If your business has been infected or you suspect ransomware was executed, consider reporting the incident to your national cybersecurity agency. Sharing information about active campaigns helps authorities warn other organizations and better understand emerging threats.
You may also want to read: What to do if you clicked a phishing link in a business email
How to protect your small business moving forward
Campaigns like this prove that ransomware attacks don’t always begin with sophisticated hacking techniques. Often, they start with a message designed to create panic.
To reduce the risk of your small business falling victim to a similar ransomware attack:
Verify all unsolicited correspondence before acting: If you receive a message claiming to come from law enforcement, regulators, or another authority, don’t rely on the contact details provided in the email. Reach out through official channels to confirm whether the communication is legitimate.
Note: One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don’t send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing. If you receive a message like this, resist the urge to investigate on your own. Instead, verify the communication through official channels before opening any attachments or downloading files.
- Treat password-protected archives with caution, especially when the password is included in the email.
- Show file extensions on Windows devices: This makes it easier to spot executables masquerading as videos or documents.
- Enable multi-factor authentication wherever possible. MFA won’t stop ransomware that’s already running, but it can prevent attackers from accessing your business accounts if they also try to steal passwords.
- Keep systems and software up to date. Regular security updates help close vulnerabilities that attackers may exploit before or after a phishing attack.
- Train employees to recognize scams: Criminals increasingly rely on fear and urgency rather than technical exploits.
- Maintain secure backups: Reliable backups remain one of the best defenses against ransomware.
- Use layered security designed for small businesses: Even well-trained employees can have an off day, and attackers count on those moments. Solutions such as Bitdefender Ultimate Small Business Security add another layer of defense by helping block phishing emails, detecting malicious downloads, identifying suspicious behavior, and stopping ransomware in its tracks.
This article is published for informational and educational purposes only. The information presented is based on technical research conducted by Bitdefender Labs and publicly available sources. Bitdefender does not make any legal determination regarding the activities described herein. The mention of any company, brand, domain, or individual does not constitute an accusation of illegal activity. Readers should exercise their own judgment and consult appropriate authorities or legal counsel if they believe they have been affected by any of the activities described. Domain names and URLs listed in this article are provided solely to help consumers and security professionals identify potentially harmful infrastructure. Bitdefender disclaims any liability for actions taken based on the information in this article.











Comparitech Research: Which industry & country has the worst email security? An analysis of 5,800+ domains
Posted in Commentary with tags Comparitech on July 1, 2026 by itnerdEvery day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails. 96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, Comparitech’s findings found that more than eight percent of organizations’ domains are fully unprotected.
This Wednesday, Comparitech researchers will be publishing a new study looking into this very subject by analyszing the live DNS records for 5,849 domains across 13 sectors, scoring each based on a series of frameworks.
Key findings include:
Additionally, Rebecca Moody, Head of Data Research at Comparitech, provided the following comment on the subject:
“If you asked people which industries they’d like to assume are meeting basic cybersecurity standards, government agencies and healthcare providers would likely be among some of the most popular answers. Our study highlights that, when it comes to standard email security, this couldn’t be further from the truth.
The fact that over 1 in 4 government agencies and 1 in 5 healthcare providers have zero email protection is incredibly concerning, particularly when the factors we’ve assessed (SPF, DMARC, DKIM, or MTA-STS) are what many would call “standard” protocols. Equally, these sectors are often subject to more regulation, demonstrating that even when they should be meeting these requirements by law, they often aren’t.
One of the biggest risks of having gaps in email security is spoofing. Without the necessary protocols in place, hackers can spoof an organization’s domain, which adds to the legitimacy of their campaign. They could use this to send phishing emails, malware, or carry out a wire fraud scam, for example. Ultimately, the email security protocols we’ve assessed shouldn’t be seen as a recommendation or “good to have,” they should be viewed as being essential for all organizations.”
You can read the research here: https://www.comparitech.com/news/which-industry-country-has-the-worst-email-security-an-analysis-of-5800-domains-for-spf-dmarc-dkim-mta-sts-protocols/
Leave a comment »