Virlock Ransomware Capable of Spreading via Cloud Sync

Virlock Ransomware has been around since 2014; however, the latest version of the file-encrypting malware has a host of new capabilities making it even more dangerous. Virlock ransomware can now encrypt all files it comes into contact with. The methods used for spreading infections are also now much more effective. The latest version is capable of spreading internally via cloud sync and collaboration applications.

Initial infection occurs via email, malicious websites, or USB sticks. Once one computer is infected, all files on that device are encrypted, yet those encrypted files can also infect other users. According to security researchers at NetSkope, Virlock is a polymorphic file infector ransomware. The malware contains polymorphic code, malware code, and embedded clean code.

NetSkope says a ransomware infection on a single machine can spread quickly around an entire organization if employees are collaborating and sharing files via cloud sync or cloud storage services. If an infected file is shared with another user, all of their files can also be infected and encrypted.

Say user A is infected. All of their files will be encrypted and will be capable of infecting others. If that user has files which are synced with a shared folder, the files in the shared folder will also be infected. Any other user that also has access to the shared folder will be at risk. When one of the infected files is opened by user B, the infector will be executed. All other files on that users’ machine will also be encrypted and turned into infector files. And so the process continues. In an enterprise, an infection could infect multiple users in a matter of minutes.

Since the ransomware can infect all file types, including backups, it is essential that backup devices are air-gapped. Multiple backups should also be performed. NetSkope recommends backing up critical data to a cloud account and also scanning that account regularly for malware. It is also recommended that administrators enable the option to view known file extensions in Windows.

End users should be instructed never to open file attachments from unknown senders or to plug in USB devices unless they have come from a trusted source. End users should also be told to avoid executing files with dual extensions unless they are absolutely certain that those files are safe. Anti-virus and anti-malware software should also be kept updated and patches applied promptly to prevent attacks via exploit kits.

In the event of infection, the attackers demand a payment to unlock the files on each infected device. Payment must be made in Bitcoin and the cost per infected machine is approximately $250.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of