VirLock: The First Shape-shifter Among Ransomware

Next story

ESET has analyzed new member of ransomware family detected by its telemetry under name Win32/VirLock. It is the first time ESET researchers have seen ransomware which locks screen of victims device and also acts as polymorphic parasitic virus infecting files on user‘s device. Read more about VirLock on To restore VirLock-infected files, victims can download and use ESET’s standalone cleaner
Until now, ransomware has usually been categorized into two basic groups: LockScreens and Filecoders. In rare cases, ransomware takes a hybrid approach by both encrypting files and locking the screen by displaying a full screen message demanding ransom. An example of this behavior is Android/Simplocker – the first filecoder for Android ESET had detected earlier this year.
VirLock infects the files by morphing them into encrypted executables containing the virus body. Another part of the payload is responsible for the LockScreen functionality – with typical protective measures like shutting down explorer.exe, the Task Manager – and for displaying the ransom screen.

“From a technical point of view, probably the most interesting part about VirLock is that the virus is polymorphic, meaning its body will be different for each infected file and also each time it’s executed. Moreover, our analysis has revealed multiple levels of encryption, which suggests that the malware author has truly played around with the code,” said Robert Lipovsky, Malware Researcher at ESET.

For more information and details about VirLock please read the analysis by ESET researchers which is now available on Victims of the VirLock infection can download and use ESET’s standalone cleaner to restore their files. 

About ESET

Since 1987, ESET® has been developing record award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on LinkedInFacebook and Twitter.