A new ransomware campaign is impersonating Interpol to pressure small businesses into infecting themselves. According to security researchers at Bitdefender, with reporting echoed by outlets such as SC Media, Infosecurity and Hackread, the emails pose as an official "Interpol Cybercrime Investigation Unit" and claim an urgent response is needed to assist an investigation into compliance or security problems. The lure is authority and fear. The reality is a clumsy attempt to trick the recipient into running malware.
There is an unusual twist that changes the whole response. The people behind this campaign built their ransomware so badly that the tool needed to reverse the encryption, and the key it uses, are carried inside the malware itself. That single mistake means recovery without paying is on the table.
What the fake Interpol ransomware campaign looks like
The message arrives as an email dressed up as an official notice. It uses the Interpol name and the invented label of a "Cybercrime Investigation Unit," and it insists on urgency: the recipient's cooperation is supposedly required for a live investigation into a conformity or security matter. That framing is designed to short-circuit judgment. A frightened employee who believes an international police body is watching is more likely to click first and think later.
The email does not carry the payload directly. Instead it points to a Proton Drive link where a password-protected archive is hosted, and it helpfully provides the password in the body of the message. Password-protected archives are a common evasion trick: many email and endpoint scanners cannot inspect the contents of an encrypted archive, so the malicious file slips past filters that would otherwise flag it.
How the infection chain works
Once the victim downloads the archive and enters the supplied password, they do not find a document. They find more archives nested inside. Layer after layer, the packaging keeps the real payload buried, which further frustrates automated scanning and makes the object look like a harmless bundle of files.
At the bottom of the nesting sits the ransomware, disguised as a video file. The social engineering is consistent to the end: a recipient who was told this concerns an investigation expects to review evidence, so a "video" feels plausible. When the victim tries to play that video, the executable runs. Instead of footage, it begins encrypting files across the available drives and drops a ransom note demanding payment.
The chain is deliberately layered but not sophisticated. Each step, the fake authority, the off-platform file host, the supplied password, the nested archives, the video disguise, is a known trick. What makes the campaign notable is not its cleverness but its target selection and a self-defeating implementation error.
The critical flaw: the decryption key ships inside the malware
Here is the detail that matters most for any victim. According to the researchers who analyzed the samples, this ransomware carries both its decryption function and the required key inside the malware itself. In a correctly built strain, the key that would unlock your files is generated on the attacker's infrastructure and never touches your machine, which is exactly why paying can feel like the only option. This campaign does the opposite.
Because the decryption logic and key are present locally, it is technically possible to recover the encrypted files without negotiating with or paying the attackers. This is a major defect in the attackers' design. It also means that security vendors such as Bitdefender are well positioned to publish a free decryptor built from that embedded material, and that antivirus and law enforcement partners can add it to the public catalog of free tools.
To be clear about the limits: extracting an embedded key safely is work for malware analysts, not something to improvise from a blog post. Do not attempt to pull apart the sample yourself. The practical takeaway is simpler and just as important: do not pay, because the encryption used here is not the unbreakable kind that a correctly implemented ransomware relies on.
Who is being targeted
The campaign is aimed at small and mid-sized businesses rather than consumers, and it reaches across regions. Researchers observed targets in the United States, Europe, Asia and the Middle East, spanning a broad set of sectors including technology, finance, legal services, agrifood, pharmaceuticals and media. That spread suggests opportunistic distribution rather than a narrow, hand-picked victim list.
Small businesses are an attractive mark for a reason. They often lack a dedicated security team, staff may be less rehearsed against impersonation, and the shock of an apparent Interpol notice can override normal caution. The attackers are betting on that gap. A well-informed team, by contrast, spots the scam at the first line: real police forces do not send investigation "evidence" as a password-protected archive from a consumer cloud drive.
What to do if you receive one of these emails
If a message like this lands in your inbox, treat it as hostile and do not engage with the payload:
- Do not download the archive and do not open any file inside it. The ransomware fires when the fake video is opened, so the safest move is to never reach that step.
- Do not reply and do not use any contact detail in the email. The Interpol branding is fake, and any "unit" named in the message is an invention.
- Isolate any machine that already downloaded or opened the file: unplug the network cable, disable Wi-Fi, and disconnect external drives to limit spread.
- Report it to your IT or security team and to your national cybercrime authority. If you need to verify a genuine law enforcement request, contact the agency through its official public channels, never through the email.
What to do if your files are already encrypted
If the payload already ran and your files are locked, the response mirrors the standard ransomware playbook, with one encouraging factor: this strain's flawed design makes free recovery realistic. Work through the steps calmly.
Start by isolating the machine and photographing the ransom note and the encrypted file extension. Then identify the strain precisely: our ID Ransomware identification guide walks through uploading a sample and the note to pin down exactly what hit you. Accurate identification is what lets a matching decryptor be found or built.
Next, check the official free tools. Because the key is embedded, a decryptor for this family is feasible, so consult the No More Ransom portal and the Bitdefender free tools page. Our pillar guide on how to decrypt ransomware without paying explains how to find, verify and safely test an official decryptor on a copy before running it widely. If no tool is available yet for your exact sample, keep the encrypted files on a clean external drive and check back, because tools for flawed strains often appear.
If you have a clean, disconnected backup from before the attack, restoring from it is the fastest reliable path. Whatever route you take, do not pay the ransom: payment funds the operation, marks you as a soft target, and is unnecessary when the encryption itself is reversible. For the full step-by-step response and recovery options, see our guides on what to do when your files are encrypted by ransomware and how to recover files after ransomware.
How small businesses can harden against this
This campaign succeeds through people, not through technical brilliance, so the strongest defenses are organizational. Train staff to distrust any unsolicited message that claims to be law enforcement and asks them to download a password-protected file, and make it normal to pause and verify rather than react to urgency. Block risky attachment types and password-protected archives at the email gateway where possible, since those are the exact evasion this campaign relies on.
Keep offline or immutable backups so that even a successful encryption is a nuisance rather than a crisis, and test that you can actually restore from them. Finally, establish a simple rule that any genuine contact from a police agency is verified through official national channels, not through a link, an attachment, or a phone number supplied in an unexpected email. Those habits neutralize the fear that this fake Interpol campaign is built to exploit.
Related guides
- Decrypt ransomware without paying: complete 2026 guide
- Files encrypted by ransomware: what to do right now
- Recover files after ransomware
Back up now so ransomware can't win → EaseUS Todo Backup
Automatic backups · disk clone · offline copy
