Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Virlock

73
Global rank
48 infographic chevron month
Month rank
47 infographic chevron week
Week rank
0
IOCs

Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.

Ransomware
Type
Unknown
Origin
1 December, 2014
First seen
11 October, 2025
Last seen

How to analyze Virlock with ANY.RUN

Type
Unknown
Origin
1 December, 2014
First seen
11 October, 2025
Last seen

IOCs

Hashes
b25b064bb44456f418ed45ef99a68f37a2f0e55160a7ee6089c51ffadf39461c
b7590288cf0134d64d9da3d562201ff83d2c95357b8d8186414d3a5893f71f75
c9d580d683f7ebd3d9397441d7e5f3dc4f926cd5d9d151c8fe0e1a5522bdbaa2
ca1ef668319711e6a05100cfa504ea56c40ddac562ce8c364d74bcee3aad9714
3ee71ee1f3caf106644b240a1b393720513f4188eeeb4ebffe8024af9c280670
fd8acfee8363c7ecfa2ba8d8ad89d0f023db29d9bf82d6d3c99703be2bf97029
ce2d534ccae6d582fbc1d6ee41ea8460d2256ec617a0f7dff1064754bd661f08
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 398
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 2181
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 5122
comments 0

What is Virlock ransomware?

Virlock is a unique form of ransomware that combines traditional file encryption with virus-like propagation methods. First identified in 2014, it not only encrypts files but also embeds its malicious code into them, allowing it to spread across systems via shared drives and removable media. Once executed, Virlock locks the victim's screen and displays a ransom note, often masquerading as a legal warning, demanding payment for file recovery and system access.

You can see an example of a ransom note displayed inside ANY.RUN’s sandbox:

Virlock note in ANY.RUN sandbox Ransom note displayed in ANY.RUN sandbox

While specific large-scale attacks attributed solely to Virlock are not extensively documented, its unique propagation method poses significant risks, especially in environments that rely heavily on file sharing and collaboration tools. In 2016, security researchers highlighted Virlock's capability to spread through cloud storage and collaboration applications, emphasizing the potential for rapid, widespread infection within organizations.

Virlock's ability to both encrypt files and convert them into infectious agents makes it particularly dangerous. Even if a ransom is paid, residual infected files can lead to reinfection.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Virlock ransomware technical details

Virlock employs polymorphic techniques to evade detection. It changes its code structure with each infection, making it difficult for traditional signature-based antivirus solutions to recognize and block it.

The primary technical functionalities of Virlock ransomware include:

  • Alters its code structure with each infection to evade signature-based detection.
  • Embeds itself into various file types, converting them into carriers of the malware.
  • Displays a full-screen ransom message, preventing user access to the system.
  • Encrypts user files, rendering them inaccessible without a decryption key.
  • Spreads through shared applications and cloud storage platforms.
  • Modifies system registry entries to ensure it runs upon system startup.
  • Employs methods to hinder analysis and detection by security tools.
  • Customizes ransom messages based on the victim's geographic location.
  • Registers itself as a service to maintain persistence on the infected system.
  • Disables task manager and explorer processes to prevent user intervention.

The Virlock ransomware employs several layers of encryption, including XOR and XOR-ROL (rotate left) algorithms, to obfuscate its code and hinder analysis.

After infecting files, Virlock appends an .exe extension and modifies system settings to hide file extensions, making it harder for users to identify infected files.

Besides, this ransomware drops multiple instances of itself in different locations and registers them as services or startup entries, ensuring it remains active even if some instances are removed.

Virlock ransomware execution process

To see how Virlock operates, let’s upload its sample into ANY.RUN’s sandbox.

When Virlock is executed on a non-infected machine, it initiates by deploying three instances of itself, each with a specific function:

  • Instance one: Responsible for infecting files.
  • Instance two: Locks the victim's screen.
  • Instance three: Establishes persistence by registering as a Windows service.

Process graph of Virlock in ANY.RUN sandbox Process graph generated by ANY.RUN sandbox

Virlock targets various file types, including documents and binary files. Upon locating these files, it encrypts their contents and appends its malicious code to the original file. This process transforms each infected file into a carrier capable of further spreading the ransomware. Any user who opens an infected file inadvertently activates the malware, enabling it to propagate within networks, particularly in cloud environments.

Suricata rule of Virlock in ANY.RUN sandbox Suricata rule triggered by Virlock ransomware inside ANY.RUN’s sandbox

To ensure its continued operation even after system reboots, Virlock modifies the Windows registry:

  • It adds entries to the Run registry keys under both HKCU (Current User) and HKLM (Local Machine), ensuring that its instances are executed automatically at startup.
  • The third instance registers itself as a Windows service, maintaining persistence and functionality even if terminated manually.

During its operation, the second instance disables critical system processes such as explorer.exe and taskmgr.exe, effectively locking the victim’s screen.

It also customizes the ransom message based on the victim's geolocation, demanding payment in Bitcoin to unlock the system. The ransom note often masquerades as an anti-piracy warning from law enforcement, threatening legal consequences to pressure victims into paying quickly.

Ransom note of Virlock in ANY.RUN sandbox Virlock ransom note requiring payment in Bitcoin

Virlock employs a variety of anti-debugging measures and heavily obfuscated code to hinder analysis and detection:

  • It uses XOR encryption for its payloads, complicating the efforts of traditional antivirus solutions to identify and neutralize the ransomware.
  • Dynamic code execution and frequent polymorphic changes make its detection challenging.

The ransom note leverages social engineering to manipulate victims, presenting itself as a warning from legal authorities. This tactic is designed to create urgency and confusion, leaving victims less likely to explore alternative options before complying with the ransom demands

Virlock ransomware distribution methods

  • Email attachments: Virlock is often delivered through phishing emails containing malicious attachments. When recipients open these attachments, the ransomware executes and infects the system.
  • Malicious URLs: Attackers use deceptive links in emails or on compromised websites. Clicking these links can initiate the download and execution of Virlock.
  • Infected executable files: Virlock embeds itself into executable files. Running these infected files can lead to system compromise.
  • Cloud storage and collaboration tools: Virlock can spread through shared applications and cloud storage platforms. Infected files uploaded to these services can propagate the ransomware to other users who download and open them.
  • Removable media: The ransomware can infect files on USB drives or other removable media. When these devices are connected to another system, the malware can spread.
  • Network shares: Virlock can propagate through network shares by infecting files accessible to multiple users, facilitating its spread within organizational networks.

Gathering Threat Intelligence on Virlock Ransomware

To collect up-to-date intelligence on Virlock ransomware, use Threat Intelligence Lookup.

This powerful service provides access to a vast database populated with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, you can search for specific data related to Virlock, including IPs, domains, file hashes, file names, and process artifacts.

Lookup search of Virlock in ANY.RUN sandbox Virlock Lookup Search in ANY.RUN

To gather intelligence on Virlock, you can search directly for its name or use related artifacts. For example, submitting a query like threatName:"Virlock" in Threat Intelligence Lookup will return a comprehensive list of associated samples and sandbox results, giving you actionable insights into the malware's behavior and indicators of compromise.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Virlock ransomware is a serious threat due to its ability to mutate, infect files, and evade detection, making it both difficult to detect and contain. Using tools like ANY.RUN is essential for proactively analyzing suspicious files and URLs to prevent potential attacks.

ANY.RUN offers real-time malware analysis with features like dynamic sandboxing, behavior tracking, and support for Windows and Linux. Its interactive platform simplifies threat detection and provides detailed insights to enhance cybersecurity defenses.

Sign up for a free ANY.RUN account today and start analyzing emerging threats with no limits!

HAVE A LOOK AT

NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
Keylogger screenshot
Keylogger
keylogger
A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More