Fake Interpol Arrest Notices Are Delivering Ransomware to Small Businesses
Criminals are impersonating the international police agency to frighten small business owners into downloading malware. The tactic is simple. It's working.

Key points
- Criminals are sending fake Interpol — the international police organisation — emails to small businesses in the US, Europe, Asia, and the Middle East to trick staff into downloading ransomware.
- Targeted sectors include pharmaceuticals, food and agriculture, technology, media, and legal services.
- Security firm Bitdefender confirmed the ransomware payload is basic but effective, with a hardcoded encryption password built into the code.
- CrowdStrike survey data shows 29% of businesses with fewer than 25 employees were hit by ransomware attacks.
- Sophos reported in its annual threat report that ransomware accounted for 70% of cyber incidents it investigated at small businesses.
A fake email arrives. It looks official. It carries the Interpol logo, uses formal language, and tells the recipient that their business is under investigation for criminal activity. Investigators, it claims, have video evidence.
That is the opening move in a ransomware campaign — an attack where criminals lock a company's files using encryption and demand payment for the key — first reported this week by Bitdefender, a cybersecurity company. The campaign has hit businesses across multiple sectors on four continents.
The email is phishing, meaning a fake message crafted to trick the reader into doing something harmful. This one instructs the recipient to download a password-protected archive file — essentially a locked digital folder — from Proton Drive, a legitimate file-storage service. The archive is presented as evidence the recipient must review.
Opening it releases ransomware disguised as a video file. The malware encrypts files on the victim's computer and instructs them to contact the attackers through Tox, a peer-to-peer — meaning direct, without a central server — messaging app, to arrange payment.
There is no fixed ransom amount. Victims only learn the price once they make contact. Bitdefender analyst Alina Bizga told Dark Reading that this approach lets criminals tailor the demand to what each victim appears able to pay — a growing tactic across the ransomware world.
Why are small businesses the target here?
Small businesses are the target because criminals have correctly identified them as under-defended. Many have no dedicated IT staff, no formal plan for responding to a security incident, and limited budgets for security tools. CrowdStrike survey data found that two-thirds of small business leaders said budget constraints stopped them from making any security upgrades at all.
Bizga puts it plainly: many small business owners assume they are too small to attract criminals. This campaign proves otherwise.
The Interpol disguise exploits something real — regulatory notices and compliance demands are increasingly common across many industries, so an unexpected official-looking investigation can feel plausible. The email is engineered to produce panic, not scrutiny.
Bitdefender's technical analysis found the malware is not sophisticated. The encryption password is hardcoded — literally written into the program itself — and the code lacks features common in larger criminal ransomware operations. Simple construction, significant damage.
For employees at any small business: if an unexpected email claims to be from a government agency or police force and asks you to download a file, do not open the file. Verify the contact through the organisation's official public website. Real investigators do not serve evidence via cloud-storage links.
Bitdefender also notes that 55% of organisations admit to not reporting security breaches even when they know they should — which means the true scale of attacks like this one is almost certainly larger than the numbers suggest.



