Win32/Virlock: First self reproducing Ransomware raises its head

Win32/Virlock is a new type of ransomware that not only locks the screen, but it also behaves as a polymorphic parasitic virus that infects files on the user’s machine. So, we have a new virus having a combination of a ransomware that locks user’s screen, a polymorphic malware and a parasitic virus that infects user’s files as well. With these characteristics, Win32/Virlock poses a greater threat to users than any other, typical ransomware.

Win32/Virlock ransomware

A typical ransomware screen looks as follows:


In general, a ransomware will often stop you from using your computer. They claim that you done something illegal and you are fined for that. Or the ransomware will lock your screen ad demand for money to give away the key to unlock it. The methods are one of these or a combination of all.

There are generally two types of ransomware defined, namely LockScreen and Filecoder. Their characteristics are as follows:

  • LockScreen Ransomware: The ransomware locks user’s screen and then demands for ransom to unlock it.
  • Filecoder Ransomware: The ransomware does not lock user’s screen or prevents the user from using the computer. However, it encrypts the files on his PC and asks for fees to decrypt the files.

ESET mentions their first experience with Win32/Virlock as follows:

“In October we discovered a new, previously unseen approach – Win32/VirLock is ransomware that locks the screen and then not only encrypts existing files, but also infects them by prepending its body to executable files – thus acting as a parasitic virus.”

In the overview of Win32/Virlock, ESET mentions how this ransomware is different than the typical file coders,

“A file infected with VirLock will be embedded into a Win32 PE file and the .exe extension appended to its name unless it was already an executable file. When it is executed, it decrypts the original file from within its body, drops it to the current directory and opens it. The decryption methods are described later in the article. This behavior clearly sets it apart from typical file coders.”

Though the virus seems pretty harmful, ESET’s analysis show that the number of victims is relatively low. It is also not widespread like other ransomware. ESET mentioned that they are keeping an eye on this new breed of ransomware and will keep updating the information about it.

You can read more about Win32/Virlock ransomware at the ESET blog.

Check out our post on general steps to take to stay protected & prevent Ransomware.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.


  1. AhWell

    I have a pc protection software called Sandboxie which can stop all types of virus’, in their website they state it can also can stop ransomwares. The good thing about it virtualizes and “sandbox” the communication between browser and system. All changes made within the sandbox can be deleted and will never reach the real system. Of course you can recover what you’ve downloaded. I recommend it. There is a free version and a paid version. The free version is just limited but you’d never have to pay. I can also recommend Bufferzone which works almost the same way but there are differences. I like Sandboxie cause it is more lightweight than Bufferzone. Please do check out these good softwares.

  2. Ankit Gupta

    Hey, thank you for your advise! We will try and cover these on TWC. Appreciate your recommendations.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 6 =