Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Virlock

71
Global rank
43 infographic chevron month
Month rank
37 infographic chevron week
Week rank
0
IOCs

Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.

Ransomware
Type
Unknown
Origin
1 December, 2014
First seen
30 October, 2025
Last seen

How to analyze Virlock with ANY.RUN

Type
Unknown
Origin
1 December, 2014
First seen
30 October, 2025
Last seen

IOCs

Hashes
b25b064bb44456f418ed45ef99a68f37a2f0e55160a7ee6089c51ffadf39461c
b7590288cf0134d64d9da3d562201ff83d2c95357b8d8186414d3a5893f71f75
c9d580d683f7ebd3d9397441d7e5f3dc4f926cd5d9d151c8fe0e1a5522bdbaa2
ca1ef668319711e6a05100cfa504ea56c40ddac562ce8c364d74bcee3aad9714
3ee71ee1f3caf106644b240a1b393720513f4188eeeb4ebffe8024af9c280670
fd8acfee8363c7ecfa2ba8d8ad89d0f023db29d9bf82d6d3c99703be2bf97029
ce2d534ccae6d582fbc1d6ee41ea8460d2256ec617a0f7dff1064754bd661f08
Last Seen at

Recent blog posts

post image
What is a Malware Sandbox? Everything SOC Ana...
watchers 401
comments 0
post image
Major Cyber Attacks in October 2025: Phishing...
watchers 2939
comments 0
post image
5 SOC Challenges and How Threat Intelligence...
watchers 487
comments 0

What is Virlock ransomware?

Virlock is a unique form of ransomware that combines traditional file encryption with virus-like propagation methods. First identified in 2014, it not only encrypts files but also embeds its malicious code into them, allowing it to spread across systems via shared drives and removable media. Once executed, Virlock locks the victim's screen and displays a ransom note, often masquerading as a legal warning, demanding payment for file recovery and system access.

You can see an example of a ransom note displayed inside ANY.RUN’s sandbox:

Virlock note in ANY.RUN sandbox Ransom note displayed in ANY.RUN sandbox

While specific large-scale attacks attributed solely to Virlock are not extensively documented, its unique propagation method poses significant risks, especially in environments that rely heavily on file sharing and collaboration tools. In 2016, security researchers highlighted Virlock's capability to spread through cloud storage and collaboration applications, emphasizing the potential for rapid, widespread infection within organizations.

Virlock's ability to both encrypt files and convert them into infectious agents makes it particularly dangerous. Even if a ransom is paid, residual infected files can lead to reinfection.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Virlock ransomware technical details

Virlock employs polymorphic techniques to evade detection. It changes its code structure with each infection, making it difficult for traditional signature-based antivirus solutions to recognize and block it.

The primary technical functionalities of Virlock ransomware include:

  • Alters its code structure with each infection to evade signature-based detection.
  • Embeds itself into various file types, converting them into carriers of the malware.
  • Displays a full-screen ransom message, preventing user access to the system.
  • Encrypts user files, rendering them inaccessible without a decryption key.
  • Spreads through shared applications and cloud storage platforms.
  • Modifies system registry entries to ensure it runs upon system startup.
  • Employs methods to hinder analysis and detection by security tools.
  • Customizes ransom messages based on the victim's geographic location.
  • Registers itself as a service to maintain persistence on the infected system.
  • Disables task manager and explorer processes to prevent user intervention.

The Virlock ransomware employs several layers of encryption, including XOR and XOR-ROL (rotate left) algorithms, to obfuscate its code and hinder analysis.

After infecting files, Virlock appends an .exe extension and modifies system settings to hide file extensions, making it harder for users to identify infected files.

Besides, this ransomware drops multiple instances of itself in different locations and registers them as services or startup entries, ensuring it remains active even if some instances are removed.

Virlock ransomware execution process

To see how Virlock operates, let’s upload its sample into ANY.RUN’s sandbox.

When Virlock is executed on a non-infected machine, it initiates by deploying three instances of itself, each with a specific function:

  • Instance one: Responsible for infecting files.
  • Instance two: Locks the victim's screen.
  • Instance three: Establishes persistence by registering as a Windows service.

Process graph of Virlock in ANY.RUN sandbox Process graph generated by ANY.RUN sandbox

Virlock targets various file types, including documents and binary files. Upon locating these files, it encrypts their contents and appends its malicious code to the original file. This process transforms each infected file into a carrier capable of further spreading the ransomware. Any user who opens an infected file inadvertently activates the malware, enabling it to propagate within networks, particularly in cloud environments.

Suricata rule of Virlock in ANY.RUN sandbox Suricata rule triggered by Virlock ransomware inside ANY.RUN’s sandbox

To ensure its continued operation even after system reboots, Virlock modifies the Windows registry:

  • It adds entries to the Run registry keys under both HKCU (Current User) and HKLM (Local Machine), ensuring that its instances are executed automatically at startup.
  • The third instance registers itself as a Windows service, maintaining persistence and functionality even if terminated manually.

During its operation, the second instance disables critical system processes such as explorer.exe and taskmgr.exe, effectively locking the victim’s screen.

It also customizes the ransom message based on the victim's geolocation, demanding payment in Bitcoin to unlock the system. The ransom note often masquerades as an anti-piracy warning from law enforcement, threatening legal consequences to pressure victims into paying quickly.

Ransom note of Virlock in ANY.RUN sandbox Virlock ransom note requiring payment in Bitcoin

Virlock employs a variety of anti-debugging measures and heavily obfuscated code to hinder analysis and detection:

  • It uses XOR encryption for its payloads, complicating the efforts of traditional antivirus solutions to identify and neutralize the ransomware.
  • Dynamic code execution and frequent polymorphic changes make its detection challenging.

The ransom note leverages social engineering to manipulate victims, presenting itself as a warning from legal authorities. This tactic is designed to create urgency and confusion, leaving victims less likely to explore alternative options before complying with the ransom demands

Virlock ransomware distribution methods

  • Email attachments: Virlock is often delivered through phishing emails containing malicious attachments. When recipients open these attachments, the ransomware executes and infects the system.
  • Malicious URLs: Attackers use deceptive links in emails or on compromised websites. Clicking these links can initiate the download and execution of Virlock.
  • Infected executable files: Virlock embeds itself into executable files. Running these infected files can lead to system compromise.
  • Cloud storage and collaboration tools: Virlock can spread through shared applications and cloud storage platforms. Infected files uploaded to these services can propagate the ransomware to other users who download and open them.
  • Removable media: The ransomware can infect files on USB drives or other removable media. When these devices are connected to another system, the malware can spread.
  • Network shares: Virlock can propagate through network shares by infecting files accessible to multiple users, facilitating its spread within organizational networks.

Gathering Threat Intelligence on Virlock Ransomware

To collect up-to-date intelligence on Virlock ransomware, use Threat Intelligence Lookup.

This powerful service provides access to a vast database populated with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, you can search for specific data related to Virlock, including IPs, domains, file hashes, file names, and process artifacts.

Lookup search of Virlock in ANY.RUN sandbox Virlock Lookup Search in ANY.RUN

To gather intelligence on Virlock, you can search directly for its name or use related artifacts. For example, submitting a query like threatName:"Virlock" in Threat Intelligence Lookup will return a comprehensive list of associated samples and sandbox results, giving you actionable insights into the malware's behavior and indicators of compromise.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Virlock ransomware is a serious threat due to its ability to mutate, infect files, and evade detection, making it both difficult to detect and contain. Using tools like ANY.RUN is essential for proactively analyzing suspicious files and URLs to prevent potential attacks.

ANY.RUN offers real-time malware analysis with features like dynamic sandboxing, behavior tracking, and support for Windows and Linux. Its interactive platform simplifies threat detection and provides detailed insights to enhance cybersecurity defenses.

Sign up for a free ANY.RUN account today and start analyzing emerging threats with no limits!

HAVE A LOOK AT

Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
INC Ransomware screenshot
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
Salvador Stealer screenshot
Salvador Stealer
salvador
Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.
Read More