Interpol Warns of Custom Ransomware Emails with Built-in Decryption Key
A cybersecurity threat campaign targeting small enterprises has been identified using emails purporting to originate from the “Interpol Cybercrime Investigation Unit” to deploy a custom ransomware module.
Overview of the Threat Campaign
Security researchers at Bitdefender disclosed that the malware contains a critical vulnerability allowing file recovery without ransom payment. The attack vector begins with messages impersonating Interpol, alleging an urgent need for an “emergency response” to address alleged compliance and security violations within the recipient’s organization.
Malware Vulnerability and Attack Vector
These emails direct victims to a Proton Drive link containing a password-protected archive. The password is embedded within the email itself, enabling access to nested archives that ultimately hold the ransomware payload disguised as a video file. Upon execution, the malware encrypts files across connected drives and generates a ransom note.
Technical Design and Decryption Key
However, researchers noted the absence of data exfiltration mechanisms, with the ransomware solely focused on encryption. The malware’s decryption key is hardcoded within the codebase, eliminating the need for attacker intervention. This flaw was confirmed by Bitdefender Senior Security Researcher Viorel Vrabie, who emphasized that the technical design allows for file recovery without negotiation.
“The campaign leverages psychological manipulation rather than advanced technical capabilities,” said Viorel Vrabie. “The ransom note instructs victims to contact attackers via Tox chat, falsely claiming that malware scans would hinder recovery. Despite this, the embedded decryption key enables restoration of files without payment.”
Development and Trends
Vrabie suggested the malware was likely developed using publicly available code resources, though no evidence of AI-assisted development was found. Bitdefender highlighted the growing trend of low-sophistication threat actors exploiting social engineering to execute disruptive attacks. The report noted that even basic malware can pose significant risks when paired with convincing deception tactics.
Global Impact and Recommendations
The campaign has affected organizations across multiple regions, including the U.S., Europe, Asia, and the Middle East, spanning industries such as technology, finance, and healthcare. Security recommendations include employee training to identify urgency-based phishing tactics, verification of unsolicited communications, and heightened scrutiny of password-protected files.
Historical Context and Mitigation Strategies
The findings align with previous incidents where ransomware developers’ errors rendered decryption impossible, such as the VECT RaaS group’s faulty encryption process and Nitrogen’s VMware ESXi variant that corrupted public keys. Organizations are advised to maintain robust data backups and implement strict access controls to mitigate risks associated with evolving ransomware strategies.
