{
  "family": "virlock",
  "sample_count": 3132,
  "category": "ransomware_file_infector",
  "description": "Virlock (also spelled VirLock or VirLocker) is a notable polymorphic ransomware family that combines file infection with screen-locking ransomware behavior. Unlike most ransomware, Virlock infects executable files in addition to encrypting documents, meaning that sharing infected files spreads the ransomware. This dual behavior makes Virlock unusually difficult to clean up and increases the risk of reinfection from backup or shared files.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "virlocker",
    "polyransom"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Virlock?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Virlock (also spelled VirLock or VirLocker) is a notable polymorphic ransomware family that combines file infection with screen-locking ransomware behavior. Unlike most ransomware, Virlock infects executable files in addition to encrypting documents, meaning that sharing infected files spreads the ransomware. This dual behavior makes Virlock unusually difficult to clean up and increases the risk of reinfection from backup or shared files."
      }
    },
    {
      "@type": "Question",
      "name": "How does Virlock spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "VirLock is a polymorphic ransomware-file-infector hybrid spreading through infected executables and network shares, encrypting files while also infecting other binaries."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Virlock infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Files renamed with .exe extensions even if they were not executables originally, ransom screens on file open, and AV detections for VirLock, VirLocker, or PolyRansom are diagnostic."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Virlock on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1486",
    "T1027"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}