Virlock

Category: ransomware_file_infector · Aliases: VirLocker, Virlock · Sample count (EMBER 2018): 3,132 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

VirLock (also known as VirLocker) is a polymorphic parasitic file infector that doubles as ransomware. As documented in a Virus Bulletin (VB2015) analysis, it transforms the files it infects into new copies of itself, so each infected file becomes both a carrier of the malware and a payload. Alongside this file-infecting behaviour it employs screen-locking, presenting a lock screen that demands payment before the system can be used. This combination of self-replicating file infection with extortion made VirLock an early and unusual example of a ransomware/file-infector hybrid.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1486 T1027

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_VIRLOCK {
    meta:
        description = "Detects Virlock (ransomware_file_infector)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "virlock" ascii wide nocase
        $s2 = "virlocker" ascii wide nocase
        $s3 = "virlock" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Virlock Activity
id: b5e9d6299ac2e7c869542b7a67935370
status: experimental
description: Detects generic indicators of the virlock malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*virlock*"
            - "*virlocker*"
            - "*virlock*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What type of malware is VirLock?

VirLock is a hybrid threat: it is both a polymorphic parasitic file infector and ransomware. It spreads by infecting files and also locks the screen to demand payment.

How does VirLock spread?

VirLock transforms the files it infects into copies of itself. Each infected file then acts as a carrier, so opening or sharing an infected file can propagate the malware further.

Why is VirLock described as polymorphic?

VirLock changes its own code as it replicates, producing varied copies. This polymorphism is intended to make detection by simple signature matching more difficult.

What does VirLock do to an infected computer?

In addition to infecting files, VirLock uses a screen-locking technique that blocks normal use of the system and presents an extortion demand, consistent with ransomware behaviour.

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/virlock.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.