VirLocker ransomware is back, but can be defeated

VirLocker (aka VirLock, aka VirRansom) is a virulent piece of machine-locking ransomware that has been around for quite some time.

It’s actually quite a surprise that it is not more widespread, given that it can easily “jump” from machine to machine without current and potential victims being none the wiser. But, according to Malwarebytes’ resident anti-ransomware expert Nathan Scott, it has now made a noticeable comeback.

The VirLocker threat

VirLocker is polymorphic ransomware that reproduces itself and covertly adds itself to a great many number files on a victim’s computer. It encrypts many different types of files, but also “infects” them by adding itself to these new, encrypted files, and wrapping them in an EXE shell (the .exe extension is not visible).

“Imagine you get this infection and think it’s just a screen locker like you have heard about. You somehow manage to remove the infection and think you are in the clear. Because extensions are turned off, you do not see that EVERY file on your machine now has a .exe extension added to it behind its original extension. You send your resume to a company you’re applying to and soon enough that whole business is infected,” Scott explains.

It only takes opening one such file to get the infection chain started.

“Because every file that VirLocker touches becomes VirLocker itself, so many users will accidentally send an infected version of a file to friends and colleagues, backups become infected, and even applications and EXE’s are not safe. Basically, when getting infected by VirLocker, you can no longer trust a single file that is on the affected machine,” the malware analyst noted.

Getting your files back

Decryptor tools for previous versions of the ransomware have been created and offered by ESET and Sophos researchers, but this latest version is even easier to thwart: you just need to enter any 64-length string (e.g. 64 zeros) in the text box of the lock screen note, click on the “Pay Fine” button and the malware will believe that the right amount has been paid. The note will disappear, and opening any of the infected will extract the original file.

Opening all the files that have been infected, one by one, will likely be a time consuming task, but you can at least save those that are most important (and you haven’t backed up).

Once you get them all, insert a USB stick in your computer and transfer them there, Scott advises, but warns to be careful not to make the mistake to transfer some of the infected EXE files on the memory stick, as clicking on any of them will restart the infection chain.

After removing the stick, you are ready to reformat/wipe your computer and set it up from scratch. That’s the only way you can be sure that you’ve deleted every last infected file from it, and you won’t be infecting yourself or anyone else with it.