Estimated reading time: 5 minutes
Bitdefender’s Antispam Lab has flagged a ransomware campaign aimed squarely at small businesses. The emails impersonate Interpol. They claim investigators hold evidence of company wrongdoing. The attached “evidence” is malware. The campaign is worth an underwriter’s attention for one reason. The ransomware is basic. The social engineering carrying it is not.
How the Scam Works
The email arrives with an urgent tone from a fake Interpol cybercrime unit. It says investigators have obtained video material related to the recipient’s organization. It urges the recipient to review the evidence quickly.
The fear does the work. Few business owners stay calm when told their company is under investigation. To view the alleged evidence, the recipient opens a Proton Drive link to a password-protected archive. The password sits right there in the email.
Inside, a file poses as a video. It is an executable. Bitdefender researchers Viorel Vrabie and Andrei Mogage found a ransomware payload buried under multiple archive layers. Once run, it encrypts files and demands contact through a Tox chat channel.
The Malware Is Cheap. That’s the Point.
The payload isn’t sophisticated. The code carries hardcoded values, including the encryption password. It lacks the features of large ransomware operations. There is no dark web negotiation portal, only a Tox ID.
Bitdefender’s read is that this is a custom job, not the work of an established gang. That matters more than it sounds. It means the barrier to running a disruptive ransomware attack has dropped. An operator no longer needs a criminal syndicate’s tooling. Convincing social engineering plus assembled code will do.
For the cyber insurance market, this expands the pool of viable attackers at the small end. The same dynamic showed up in Coalition’s small business study, where 79% of firms had already faced an attack while 64% still saw themselves as too small to target. The attackers are counting on exactly that gap in perception.
Why Small Businesses Keep Getting Picked
Small firms often run without a dedicated IT or security team. Responsibilities get spread across staff who already wear several hats. Budgets rarely stretch to advanced controls or ongoing training.
When an alarming email lands, there is often no process to verify it before someone clicks. Attackers design campaigns to exploit that exact absence. It’s the same set of unforced errors we cataloged in seven deadly SMB security sins, and the reason small business cyber coverage keeps drawing scrutiny at renewal.
The delivery method is itself the reddest of red flags. Real law enforcement does not email unsolicited Proton Drive links to password-protected files. Verification through official channels stops this campaign cold. The problem is that verification requires a habit most small firms never built.
The Claims-Side Detail Worth Noting
One feature of this campaign carries a quiet underwriting signal. The ransom note names no figure. Victims are told to make contact through Tox, and the demand comes later.
This negotiate-after-contact model has become standard. The final ransom flexes with the size of the organization and its perceived ability to pay. For insurers, that means loss amounts are set by negotiation, not by a fixed sticker price. A small firm’s demand may look modest next to an enterprise’s. The recovery cost, downtime, and business interruption often do not scale down to match.
What Brokers Should Tell Small Clients
This campaign is a reminder that ransomware no longer requires a sophisticated intrusion. It can start with a single fear-driven message. The controls that matter here are human and procedural, not just technical.
Brokers placing SMB coverage can point clients to a few basics. Verify unsolicited law enforcement contact through official channels. Treat password-protected archives with suspicion, especially when the password is supplied. Show file extensions on Windows to expose executables masquerading as videos. Keep secure, tested backups. Train staff to recognize fear and urgency as the tools they are.
None of that is new. All of it maps to the controls underwriters increasingly want to see before they write the risk. Bitdefender has been building the self-assessment tools that help firms gauge that exposure. This campaign is a plain argument for using them. The same social engineering playbook now powers AI-driven scams and deepfake executive fraud, and the human layer remains the one attackers trust to fail.
Bitdefender advises firms that opened the file to disconnect the device, run a full scan, alert their IT provider, change passwords from a clean machine, and report the incident. The prepare, defend, and insure sequence still holds. This campaign just lowers the bar for how little effort an attacker needs to test it.
FAQ – Small Business Ransomware
Bitdefender researchers believe it is a custom-built operation, not an established ransomware gang. The attackers use a Tox chat ID rather than a dark web negotiation portal.
The email links to a Proton Drive archive with the password included. Inside, an executable disguised as a video file delivers the ransomware once opened.
Many lack dedicated IT or security staff and have no process to verify suspicious emails. Attackers exploit that gap with fear and urgency rather than technical sophistication.
Disconnect the device from the network, run a full security scan, notify your IT provider, change passwords from a clean device, and report the incident.
It reinforces why underwriters scrutinize human and procedural controls. Cheap, custom ransomware paired with strong social engineering widens the pool of attackers targeting smaller firms.
Related Cyber Insurance Posts
- Diligent’s New Board Dashboard Raises a Question Insurers Should Love
- Bitdefender Targets Business Email Compromise With Dual-Layer Email Security Platform(Opens in a new browser tab)
- Travelers Flags Shadow AI as the Cyber Risk Already Inside the Building(Opens in a new browser tab)
- Healthcare Cyber Insurance Risk Climbs as Vendor Breaches Hit 85% of Practices