VirLock (also known as VirLocker) is a polymorphic parasitic file infector that doubles as ransomware. As documented in a Virus Bulletin (VB2015) analysis, it transforms the files it infects into new copies of itself, so each infected file becomes both a carrier of the malware and a payload. Alongside this file-infecting behaviour it employs screen-locking, presenting a lock screen that demands payment before the system can be used. This combination of self-replicating file infection with extortion made VirLock an early and unusual example of a ransomware/file-infector hybrid.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1486 T1027
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_VIRLOCK {
meta:
description = "Detects Virlock (ransomware_file_infector)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "virlock" ascii wide nocase
$s2 = "virlocker" ascii wide nocase
$s3 = "virlock" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Virlock Activity
id: b5e9d6299ac2e7c869542b7a67935370
status: experimental
description: Detects generic indicators of the virlock malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*virlock*"
- "*virlocker*"
- "*virlock*"
condition: selection
level: mediumVirLock is a hybrid threat: it is both a polymorphic parasitic file infector and ransomware. It spreads by infecting files and also locks the screen to demand payment.
VirLock transforms the files it infects into copies of itself. Each infected file then acts as a carrier, so opening or sharing an infected file can propagate the malware further.
VirLock changes its own code as it replicates, producing varied copies. This polymorphism is intended to make detection by simple signature matching more difficult.
In addition to infecting files, VirLock uses a screen-locking technique that blocks normal use of the system and presents an extortion demand, consistent with ransomware behaviour.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/virlock.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.