A ransomware campaign targeting small and medium-sized businesses (SMBs) is leveraging a familiar but effective social engineering technique: impersonating Interpol, the international law enforcement organization, to coerce victims into paying extortion demands. The campaign relies on basic psychological manipulation — the fear of legal consequences from a recognized authority — rather than sophisticated technical exploitation.
How the Campaign Works
Threat researchers tracking the operation describe an attack chain that combines ransomware deployment with a calculated intimidation strategy:
-
Initial access: Attackers gain entry through common vectors including phishing emails, brute-forced RDP credentials, and exploitation of unpatched public-facing systems.
-
Encryption and exfiltration: Files are encrypted and a subset of sensitive data is exfiltrated to attacker-controlled infrastructure.
-
Ransom note: Victims receive a ransom note styled to appear as an official Interpol notice, complete with Interpol branding, case reference numbers, and legal-sounding language.
-
Pressure tactics: The note claims the victim's systems have been involved in illegal activity (often cybercrime or fraud) and warns that failure to cooperate — by paying the ransom — will result in law enforcement action, prosecution, or public exposure.
-
Payment demand: Victims are directed to a Tor-based payment portal to pay in cryptocurrency, framed as a "settlement" or "cooperation payment."
Why This Works Against Small Businesses
Unlike large enterprises with dedicated legal and security teams, small businesses often lack the resources to quickly verify whether a communication from an authority like Interpol is legitimate. The campaign exploits several vulnerabilities common in SMB environments:
- Limited security awareness training — employees and owners may not recognize law enforcement impersonation as a known threat tactic
- Fear of legal exposure — the suggestion that their systems were used for illegal activity creates urgency and discourages reaching out to actual law enforcement
- No incident response plan — many SMBs have no established process for handling ransomware, making the attacker's "resolution path" appear as the only option
- Reputational concern — fear of the business's name being associated with a criminal investigation motivates payment over disclosure
Geographic Scope
The campaign has been observed across multiple regions:
- United States — targeting retail, professional services, and healthcare SMBs
- Europe — UK, Germany, and Eastern European SMBs targeted
- Middle East — logistics and trading firms have been hit
- Other regions — opportunistic targeting in South and Southeast Asia
The multi-regional footprint suggests either a well-resourced single actor or a ransomware-as-a-service (RaaS) model with multiple affiliates operating in different geographies.
Interpol's Response
Interpol does not contact private individuals or businesses directly about ongoing investigations — and it does not demand payments of any kind. The organization has previously issued public warnings about ransomware groups impersonating law enforcement, including impersonation of Europol, the FBI, and national police agencies.
If your organization receives communications claiming to be from Interpol demanding payment, it is fraudulent. The appropriate response is to:
- Do not pay
- Preserve evidence (screenshots, email headers, ransom notes)
- Contact your national cybercrime reporting body (IC3 in the US, Action Fraud in the UK)
- Engage a qualified incident response provider
Defensive Measures for Small Businesses
Backup and recovery
- Maintain offline, immutable backups tested regularly for restore capability
- Follow the 3-2-1 rule: three copies, two media types, one offsite
Access hardening
- Disable RDP or place it behind a VPN with MFA
- Enforce strong, unique passwords and MFA on all remote access
- Patch operating systems and software promptly
Staff education
- Train employees to recognize law enforcement impersonation as a known social engineering vector
- Establish a process for verifying any communications claiming to be from police or regulators before taking action
Incident response planning
- Document who to call and what to do in the first 24 hours of a ransomware incident
- Know your cyber insurance policy's reporting requirements and incident response contacts
Broader Context
Law enforcement impersonation has long been a tool in the social engineering playbook — from fake police virus screens in the 2010s to IRS phone scams targeting tax filers. Ransomware actors have adapted this template because it works: the fear of authority triggers compliance even when victims suspect something is wrong.
The Interpol branding is particularly effective because Interpol is internationally recognized but not a body most people have direct experience with, making it harder to quickly verify or refute the impersonation. Combined with the genuine distress of a ransomware attack, the tactic creates pressure that bypasses rational decision-making.
Small businesses remain a high-value, low-resistance target for ransomware actors. Investing in basic security hygiene — patching, MFA, backups, and training — remains the most cost-effective defence against campaigns like this one.