Cybercriminals are posing as international law enforcement agencies in a phishing campaign designed to deliver ransomware attacks.
As detailed by Bitdefender Antispam Lab in a blog post published on July 1, the phishing attacks target small businesses across Europe, Asia, the Middle East and North America with emails which claim to come from the ‘Cybercrime Investigation Unit’ at Interpol.
The fake Interpol email claims that businesses which received it have potentially been involved with or subject to suspicious or fraudulent activity and that the victims should urgently open a file which purports to contain evidence to be reviewed.
By posing as Interpol and indicating potential involvement in a crime, the attackers are attempting to socially engineer the victim into immediately reacting without considering if the message could be fake.
The file is stored in a Proton Drive, which can be accessed by a link embedded in the email and is protected by a password, also contained in the initial phishing email. When opened, the user is directed to an executable disguised as a video file, which if run, will compromise the system with ransomware.
Read More: Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats
The ransom note does not provide a ransom demand but rather instructs the victim to contact them through Tox, a peer-to-peer private messaging service.
“This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact,” wrote Alina Bizga, security analyst at Bitdefender.
“The final ransom may depend on the size of the organization, the perceived value of its data and its ability to pay,” she added.
Organizations which have been targeted include those in food and agriculture, legal services, pharmaceuticals, media, technology and finance.
Researchers noted that the ransomware implant, which doesn’t even appear to have a name, is relatively simple and lacks many of the more sophisticated functions associated with major ransomware operations.
"The malware does not appear to belong to any known ransomware family. Researchers found that it uses a relatively simple implementation, including hardcoded values embedded directly in the code, rather than the more sophisticated key management and infrastructure typically seen in established ransomware operations," Bizga told Infosecurity.
"These characteristics suggest the payload was custom-built for the campaign rather than developed by a well-known ransomware group," she added.
To help avoid falling victim to this ransomware campaign or others which could use similar tactics, Bitdefender has suggested that individuals, especially at small businesses, should verify all unsolicited correspondence before acting, including by reaching out by official channels if needed.
And as Bizga noted, it is highly unlikely that a law enforcement agency would reach out about an urgent alert via email.
“One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don't send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing,” she said.
