One example of the VirLock variant. Image Source: Trend Micro

One example of the VirLock variant.

Image Source: Trend Micro

VirLock is a polymorphic worm with file infecting capabilities that targets Windows OS and has the ability to lock the infected computer’s screen and encrypt files. Files encrypted by VirLock gain an .exe extension. Because VirLock is polymorphic, it continuously changes its code each time it runs to avoid detection and make it difficult for researchers to analyze it, according to Trend Micro.

UPDATE 1/27/2017: VirLock, also known as VirLocker and VirRansom, has returned but researchers have discovered a flaw in the encryption process allowing files encrypted by VirLock to be decrypted without paying the ransom. Victims can merely enter 64 zeros in the decryption key field to unlock their files. However, VirLock wraps each encrypted file within an executable requiring the victim to manually extract the original file and delete the binary. Launching the executable of any encrypted files can lead to continued infection of the system. Researchers suggest moving recovered files to an external drive and then completely formatting the original drive to remove the infection. 

  • Security firm ESET offers a tool to decrypt files encrypted by VirLock, available here.