Skip to main content
ransomware-securityINFO

Fake Interpol Emails Spread Ransomware, But the Decryption Key Is Inside

A ransomware campaign impersonates Interpol to hit small businesses through a Proton Drive archive. The flaw: the decryption routine and key ship inside the malware, so recovery without paying is possible.

By Eric Gerard · Editor · Save My Disk7 min readPhoto via Unsplash

A new ransomware campaign is impersonating Interpol to pressure small businesses into infecting themselves. According to security researchers at Bitdefender, with reporting echoed by outlets such as SC Media, Infosecurity and Hackread, the emails pose as an official "Interpol Cybercrime Investigation Unit" and claim an urgent response is needed to assist an investigation into compliance or security problems. The lure is authority and fear. The reality is a clumsy attempt to trick the recipient into running malware.

There is an unusual twist that changes the whole response. The people behind this campaign built their ransomware so badly that the tool needed to reverse the encryption, and the key it uses, are carried inside the malware itself. That single mistake means recovery without paying is on the table.

What the fake Interpol ransomware campaign looks like

The message arrives as an email dressed up as an official notice. It uses the Interpol name and the invented label of a "Cybercrime Investigation Unit," and it insists on urgency: the recipient's cooperation is supposedly required for a live investigation into a conformity or security matter. That framing is designed to short-circuit judgment. A frightened employee who believes an international police body is watching is more likely to click first and think later.

The email does not carry the payload directly. Instead it points to a Proton Drive link where a password-protected archive is hosted, and it helpfully provides the password in the body of the message. Password-protected archives are a common evasion trick: many email and endpoint scanners cannot inspect the contents of an encrypted archive, so the malicious file slips past filters that would otherwise flag it.

How the infection chain works

Once the victim downloads the archive and enters the supplied password, they do not find a document. They find more archives nested inside. Layer after layer, the packaging keeps the real payload buried, which further frustrates automated scanning and makes the object look like a harmless bundle of files.

At the bottom of the nesting sits the ransomware, disguised as a video file. The social engineering is consistent to the end: a recipient who was told this concerns an investigation expects to review evidence, so a "video" feels plausible. When the victim tries to play that video, the executable runs. Instead of footage, it begins encrypting files across the available drives and drops a ransom note demanding payment.

Streams of green code cascade down a dark computer screen
Streams of green code cascade down a dark computer screen

The chain is deliberately layered but not sophisticated. Each step, the fake authority, the off-platform file host, the supplied password, the nested archives, the video disguise, is a known trick. What makes the campaign notable is not its cleverness but its target selection and a self-defeating implementation error.

The critical flaw: the decryption key ships inside the malware

Here is the detail that matters most for any victim. According to the researchers who analyzed the samples, this ransomware carries both its decryption function and the required key inside the malware itself. In a correctly built strain, the key that would unlock your files is generated on the attacker's infrastructure and never touches your machine, which is exactly why paying can feel like the only option. This campaign does the opposite.

Because the decryption logic and key are present locally, it is technically possible to recover the encrypted files without negotiating with or paying the attackers. This is a major defect in the attackers' design. It also means that security vendors such as Bitdefender are well positioned to publish a free decryptor built from that embedded material, and that antivirus and law enforcement partners can add it to the public catalog of free tools.

To be clear about the limits: extracting an embedded key safely is work for malware analysts, not something to improvise from a blog post. Do not attempt to pull apart the sample yourself. The practical takeaway is simpler and just as important: do not pay, because the encryption used here is not the unbreakable kind that a correctly implemented ransomware relies on.

Who is being targeted

The campaign is aimed at small and mid-sized businesses rather than consumers, and it reaches across regions. Researchers observed targets in the United States, Europe, Asia and the Middle East, spanning a broad set of sectors including technology, finance, legal services, agrifood, pharmaceuticals and media. That spread suggests opportunistic distribution rather than a narrow, hand-picked victim list.

Small businesses are an attractive mark for a reason. They often lack a dedicated security team, staff may be less rehearsed against impersonation, and the shock of an apparent Interpol notice can override normal caution. The attackers are betting on that gap. A well-informed team, by contrast, spots the scam at the first line: real police forces do not send investigation "evidence" as a password-protected archive from a consumer cloud drive.

What to do if you receive one of these emails

If a message like this lands in your inbox, treat it as hostile and do not engage with the payload:

  1. Do not download the archive and do not open any file inside it. The ransomware fires when the fake video is opened, so the safest move is to never reach that step.
  2. Do not reply and do not use any contact detail in the email. The Interpol branding is fake, and any "unit" named in the message is an invention.
  3. Isolate any machine that already downloaded or opened the file: unplug the network cable, disable Wi-Fi, and disconnect external drives to limit spread.
  4. Report it to your IT or security team and to your national cybercrime authority. If you need to verify a genuine law enforcement request, contact the agency through its official public channels, never through the email.

What to do if your files are already encrypted

If the payload already ran and your files are locked, the response mirrors the standard ransomware playbook, with one encouraging factor: this strain's flawed design makes free recovery realistic. Work through the steps calmly.

Start by isolating the machine and photographing the ransom note and the encrypted file extension. Then identify the strain precisely: our ID Ransomware identification guide walks through uploading a sample and the note to pin down exactly what hit you. Accurate identification is what lets a matching decryptor be found or built.

Next, check the official free tools. Because the key is embedded, a decryptor for this family is feasible, so consult the No More Ransom portal and the Bitdefender free tools page. Our pillar guide on how to decrypt ransomware without paying explains how to find, verify and safely test an official decryptor on a copy before running it widely. If no tool is available yet for your exact sample, keep the encrypted files on a clean external drive and check back, because tools for flawed strains often appear.

If you have a clean, disconnected backup from before the attack, restoring from it is the fastest reliable path. Whatever route you take, do not pay the ransom: payment funds the operation, marks you as a soft target, and is unnecessary when the encryption itself is reversible. For the full step-by-step response and recovery options, see our guides on what to do when your files are encrypted by ransomware and how to recover files after ransomware.

How small businesses can harden against this

This campaign succeeds through people, not through technical brilliance, so the strongest defenses are organizational. Train staff to distrust any unsolicited message that claims to be law enforcement and asks them to download a password-protected file, and make it normal to pause and verify rather than react to urgency. Block risky attachment types and password-protected archives at the email gateway where possible, since those are the exact evasion this campaign relies on.

Keep offline or immutable backups so that even a successful encryption is a nuisance rather than a crisis, and test that you can actually restore from them. Finally, establish a simple rule that any genuine contact from a police agency is verified through official national channels, not through a link, an attachment, or a phone number supplied in an unexpected email. Those habits neutralize the fear that this fake Interpol campaign is built to exploit.

Editorial pick
4.5 / 5

Back up now so ransomware can't win → EaseUS Todo Backup

Automatic backups · disk clone · offline copy

Founded in 200430-day guaranteeFree 2 GB version
See the offer

Frequently asked questions

Is the fake Interpol email actually from Interpol?

No. Interpol does not open investigations by emailing companies a password-protected archive hosted on Proton Drive. The organization coordinates with national police forces through official National Central Bureaus, never by asking a business to download and unzip a file to 'assist an urgent response.' Any email claiming to be from an 'Interpol Cybercrime Investigation Unit' with an attachment and a password is a scam.

Why does it matter that this ransomware is poorly built?

Because, according to Bitdefender, researchers found that the decryption function and the key it needs are embedded directly inside the malware. In principle, that means the encryption can be reversed without ever contacting or paying the attackers, and a security vendor such as Bitdefender can build a free decryptor from that flaw. It is the opposite of a correctly implemented strain, where the private key stays on the attacker's server and recovery is mathematically impossible.

Should I open the attachment to check what it is?

No. Never open the archive or the file disguised as a video inside it. The ransomware is triggered when the victim tries to play the fake video. If you have already received the email, do not download anything, isolate any machine that touched it, and report the message to your IT team or national cybercrime authority.

My files are already encrypted. What should I do now?

Isolate the affected machine from the network, photograph the ransom note, identify the strain with ID Ransomware, and check the No More Ransom portal for a free decryptor before doing anything else. Because the key is embedded in this malware, a public decryptor is technically feasible. Restore from a clean backup if you have one, and do not pay.

Is this the work of a major ransomware gang?

Researchers assess this campaign is more likely the work of a low-sophistication individual or small group than an established ransomware operation. The reused Proton Drive delivery, the nested archives, the fake video wrapper, and above all the embedded decryption key point to weak tradecraft. The main weapon is fear, the intimidation of a fake law enforcement notice, rather than technical strength.

How can a small business avoid this attack?

Treat any unsolicited 'law enforcement' email with an attachment and a supplied password as hostile. Block risky archive and executable attachments at the gateway, keep offline or immutable backups, and verify any genuine law enforcement contact through official national channels, never through a link in the email. Staff awareness is the single most effective control here.