Cyber security researchers have uncovered a hacking campaign targeting small businesses, in which the threat actor poses as an Interpol investigator to deliver a ransomware payload.
According to BitDefender Security Analyst Alina Bizga, the unnamed threat actor is contacting its victims via email, and warning them that Interpol has observed some kind of suspicious activity on their network.
“Recipients are told that investigators have obtained information and video material related to their organisation and are encouraged to review the evidence as soon as possible,” Bizga said in a July 1 blog post.
“The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.”
The email contains a Proton Drive link, and a password to open an archived file containing the “evidence”. However, the video file is fake and instead deploys what appears to be a relatively unsophisticated ransomware payload that encrypts files across multiple drives.
The ransom note left behind is relatively short.
"Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.
Do not delete any files or change their locations. Do not scan your computer, as this may complicate the recovery process.
We are available only through Tox."
While most ransomware operators will point their victims to negotiate via either their leak site or a dedicated negotiation portal, this actor simply points its victims to contact them via the Tox messenger. Nor does the ransom note mention any specific ransom demand.
“This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact,” Bizga said.
“The final ransom may depend on the size of the organisation, the perceived value of its data, and its ability to pay.”
The threat actor is largely targeting small businesses across multiple sectors, including legal services, pharmaceuticals, and the media, with victims located across Europe, Asia, the Middle East, and the United States.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.