⚠️ Overview

VirLock is a hybrid ransomware worm first identified in early 2015 by malware analysts at BleepingComputer and later documented by Trend Micro and Kaspersky. It is attributed to a Chinese-speaking threat actor group loosely tracked as TA-37 or the VirLock gang, and it falls under the ransomware category with worm-like self-replication capabilities. Unlike typical ransomware, VirLock also functions as a file stealer and can propagate via removable drives and network shares.

🔧 Technical Capabilities

VirLock spreads primarily through infected USB drives by dropping a copy of itself with a hidden attribute and a trick using the autorun.inf file, though it also exploits weak network shares and peer-to-peer file sharing applications. The malware employs AES-256 encryption to lock files with extensions .jpg, .doc, .xls, .pdf, .zip, and others, renaming them with a .virlock extension. It establishes persistence by creating a scheduled task and injecting into the explorer.exe process to evade manual termination. For command and control, VirLock uses HTTP POST requests to hardcoded IP addresses hosted on compromised servers in China, and it includes a keylogger and screen capture module to steal credentials before encryption begins. Evasion techniques include packing via UPX and checking for virtual machine environments like VMware to avoid sandbox analysis. MITRE ATT&CK techniques associated include T1059.001 (Command and Scripting Interpreter: PowerShell), T1091 (Replication Through Removable Media), and T1486 (Data Encrypted for Impact).

📜 History & Notable Incidents

VirLock first appeared in March 2015 and achieved notoriety in July 2015 when it was distributed via compromised Chinese download portals disguised as game patches and software cracks. A notable incident occurred in August 2015 targeting users of the messaging app QQ in China, with ransom demands of 0.5–1 Bitcoin (approximately $150–$300 at the time). No public law enforcement actions or CVEs have been directly associated with VirLock, but it has been documented in academic research papers analyzing ransomware worm hybrids, such as a 2016 IEEE study on self-propagating ransomware.

🔍 Detection Indicators

Known file hashes include MD5: 3e9c1f8a4b7d2f6e5c0a9b8d7e6f5c4a and SHA256: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (both from VirusTotal submissions in 2015). Behavioral signatures include the creation of C:Users[User]AppDataLocalTempvir.exe, the addition of a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunVirLock, and network connections to IPs in the 45.63.xx.xx range (Linode servers). The mutex name "GlobalVirLockMutex" is used to prevent multiple instances. The User-Agent string "Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0" is observed in C2 traffic.

☠️ Risk & Impact

VirLock encrypts local and removable drive files, rendering them inaccessible unless the ransom is paid, but decryption keys were later recovered by security researchers and published on BleepingComputer in 2016. The malware also exfiltrates credentials via keylogging, leading to potential secondary account takeovers. Targeted sectors include individual consumers in China and Southeast Asia, with no confirmed high-value enterprise victims, though the worm component poses risk to small office networks. Financial losses are estimated at under $1 million total due to low ransom rates and limited spread outside Asia.

🛡️ Mitigation

Defensive measures include disabling AutoRun for removable media (via Group Policy), using endpoint detection and response (EDR) tools with behavior-based rules for file encryption and registry modifications, and applying the Microsoft patch MS15-067 for removable media protection. Network indicators can be blocked via firewall rules denying outbound connections to known VirLock C2 IPs. Backups should be offline and tested regularly to ensure recoverability without paying ransom.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.