VirLock: The First Shape-shifter Among Ransomware

ESET research has analysed first case of ransomware that also acts as polymorphic parasitic virus.

ESET has analyzed a new member of the ransomware family detected by its Eset anitvirustelemetry under name Win32/VirLock. It is the first time ESET researchers have seen ransomware which locks screen of victims device and also acts as polymorphic parasitic virus infecting files on user‘s device. To restore VirLock-infected files, victims can download and use ESET’s standalone cleaner.

Until now, ransomware has usually been categorized into two basic groups: LockScreens and Filecoders. In rare cases, ransomware takes a hybrid approach by both encrypting files and locking screens by displaying a full screen message demanding ransom. An example of this behavior is Android/Simplocker – the first filecoder for Android ESET had detected earlier this year.

VirLock infects the files by morphing them into encrypted executables containing the virus body. Another part of the payload is responsible for the LockScreen functionality – with typical protective measures like shutting down explorer.exe, the Task Manager – and for displaying the ransom screen.

“From a technical point of view, probably the most interesting part about VirLock is that the virus is polymorphic, meaning its body will be different for each infected file and also each time it’s executed. Moreover, our analysis has revealed multiple levels of encryption, which suggests that the malware author has truly played around with the code,” said Robert Lipovsky, Malware Researcher at ESET.

For more information and details about VirLock, you may read the analysis by ESET researchers which is now available on Victims of the VirLock infection can download and use ESET’s standalone cleaner to restore their files.