Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Virlock

82
Global rank
40 infographic chevron month
Month rank
51 infographic chevron week
Week rank
0
IOCs

Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.

Ransomware
Type
Unknown
Origin
1 December, 2014
First seen
14 December, 2024
Last seen

How to analyze Virlock with ANY.RUN

Type
Unknown
Origin
1 December, 2014
First seen
14 December, 2024
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 298
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1586
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1933
comments 0

What is Virlock ransomware?

Virlock is a unique form of ransomware that combines traditional file encryption with virus-like propagation methods. First identified in 2014, it not only encrypts files but also embeds its malicious code into them, allowing it to spread across systems via shared drives and removable media. Once executed, Virlock locks the victim's screen and displays a ransom note, often masquerading as a legal warning, demanding payment for file recovery and system access.

You can see an example of a ransom note displayed inside ANY.RUN’s sandbox:

Virlock note in ANY.RUN sandbox Ransom note displayed in ANY.RUN sandbox

While specific large-scale attacks attributed solely to Virlock are not extensively documented, its unique propagation method poses significant risks, especially in environments that rely heavily on file sharing and collaboration tools. In 2016, security researchers highlighted Virlock's capability to spread through cloud storage and collaboration applications, emphasizing the potential for rapid, widespread infection within organizations.

Virlock's ability to both encrypt files and convert them into infectious agents makes it particularly dangerous. Even if a ransom is paid, residual infected files can lead to reinfection.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Virlock ransomware technical details

Virlock employs polymorphic techniques to evade detection. It changes its code structure with each infection, making it difficult for traditional signature-based antivirus solutions to recognize and block it.

The primary technical functionalities of Virlock ransomware include:

  • Alters its code structure with each infection to evade signature-based detection.
  • Embeds itself into various file types, converting them into carriers of the malware.
  • Displays a full-screen ransom message, preventing user access to the system.
  • Encrypts user files, rendering them inaccessible without a decryption key.
  • Spreads through shared applications and cloud storage platforms.
  • Modifies system registry entries to ensure it runs upon system startup.
  • Employs methods to hinder analysis and detection by security tools.
  • Customizes ransom messages based on the victim's geographic location.
  • Registers itself as a service to maintain persistence on the infected system.
  • Disables task manager and explorer processes to prevent user intervention.

The Virlock ransomware employs several layers of encryption, including XOR and XOR-ROL (rotate left) algorithms, to obfuscate its code and hinder analysis.

After infecting files, Virlock appends an .exe extension and modifies system settings to hide file extensions, making it harder for users to identify infected files.

Besides, this ransomware drops multiple instances of itself in different locations and registers them as services or startup entries, ensuring it remains active even if some instances are removed.

Virlock ransomware execution process

To see how Virlock operates, let’s upload its sample into ANY.RUN’s sandbox.

When Virlock is executed on a non-infected machine, it initiates by deploying three instances of itself, each with a specific function:

  • Instance one: Responsible for infecting files.
  • Instance two: Locks the victim's screen.
  • Instance three: Establishes persistence by registering as a Windows service.

Process graph of Virlock in ANY.RUN sandbox Process graph generated by ANY.RUN sandbox

Virlock targets various file types, including documents and binary files. Upon locating these files, it encrypts their contents and appends its malicious code to the original file. This process transforms each infected file into a carrier capable of further spreading the ransomware. Any user who opens an infected file inadvertently activates the malware, enabling it to propagate within networks, particularly in cloud environments.

Suricata rule of Virlock in ANY.RUN sandbox Suricata rule triggered by Virlock ransomware inside ANY.RUN’s sandbox

To ensure its continued operation even after system reboots, Virlock modifies the Windows registry:

  • It adds entries to the Run registry keys under both HKCU (Current User) and HKLM (Local Machine), ensuring that its instances are executed automatically at startup.
  • The third instance registers itself as a Windows service, maintaining persistence and functionality even if terminated manually.

During its operation, the second instance disables critical system processes such as explorer.exe and taskmgr.exe, effectively locking the victim’s screen.

It also customizes the ransom message based on the victim's geolocation, demanding payment in Bitcoin to unlock the system. The ransom note often masquerades as an anti-piracy warning from law enforcement, threatening legal consequences to pressure victims into paying quickly.

Ransom note of Virlock in ANY.RUN sandbox Virlock ransom note requiring payment in Bitcoin

Virlock employs a variety of anti-debugging measures and heavily obfuscated code to hinder analysis and detection:

  • It uses XOR encryption for its payloads, complicating the efforts of traditional antivirus solutions to identify and neutralize the ransomware.
  • Dynamic code execution and frequent polymorphic changes make its detection challenging.

The ransom note leverages social engineering to manipulate victims, presenting itself as a warning from legal authorities. This tactic is designed to create urgency and confusion, leaving victims less likely to explore alternative options before complying with the ransom demands

Virlock ransomware distribution methods

  • Email attachments: Virlock is often delivered through phishing emails containing malicious attachments. When recipients open these attachments, the ransomware executes and infects the system.
  • Malicious URLs: Attackers use deceptive links in emails or on compromised websites. Clicking these links can initiate the download and execution of Virlock.
  • Infected executable files: Virlock embeds itself into executable files. Running these infected files can lead to system compromise.
  • Cloud storage and collaboration tools: Virlock can spread through shared applications and cloud storage platforms. Infected files uploaded to these services can propagate the ransomware to other users who download and open them.
  • Removable media: The ransomware can infect files on USB drives or other removable media. When these devices are connected to another system, the malware can spread.
  • Network shares: Virlock can propagate through network shares by infecting files accessible to multiple users, facilitating its spread within organizational networks.

Gathering Threat Intelligence on Virlock Ransomware

To collect up-to-date intelligence on Virlock ransomware, use Threat Intelligence Lookup.

This powerful service provides access to a vast database populated with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, you can search for specific data related to Virlock, including IPs, domains, file hashes, file names, and process artifacts.

Lookup search of Virlock in ANY.RUN sandbox Virlock Lookup Search in ANY.RUN

To gather intelligence on Virlock, you can search directly for its name or use related artifacts. For example, submitting a query like threatName:"Virlock" in Threat Intelligence Lookup will return a comprehensive list of associated samples and sandbox results, giving you actionable insights into the malware's behavior and indicators of compromise.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Virlock ransomware is a serious threat due to its ability to mutate, infect files, and evade detection, making it both difficult to detect and contain. Using tools like ANY.RUN is essential for proactively analyzing suspicious files and URLs to prevent potential attacks.

ANY.RUN offers real-time malware analysis with features like dynamic sandboxing, behavior tracking, and support for Windows and Linux. Its interactive platform simplifies threat detection and provides detailed insights to enhance cybersecurity defenses.

Sign up for a free ANY.RUN account today and start analyzing emerging threats with no limits!

HAVE A LOOK AT

WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More