VirLock Ransomware

If you see a message covering the entire Desktop every time you turn on your computer, it is very likely that you have VirLock Ransomware installed on your system. Like other ransomware infections, this threat enters computers because it seeks to extort money from users; however, it is rather unique in a sense that it not only encrypts files and puts a screen-locking message on Desktop, but also tries to scare users into transferring the required money by saying that a law enforcement agency has detected pirated software on their computers and now, as a result, they must pay the fine. If you have already become a victim of VirLock Ransomware, you should ignore the message it has put on your screen because you only see it just because it wants to convince you to pay the ransom it asks. It will disappear once and for all only if you delete the ransomware infection from the system, so specialists at pcthreat.com suggest getting rid of it as soon as possible. Do not expect that it will be easy to erase it because this ransomware not only covers the screen with its message, but also encrypts files and does not allow users to access system utilities like the Task Manager and the Run command.

VirLock Ransomware will immediately encrypt files stored on the computer once it sneaks onto the system and then will put a message on Desktop to inform users what has happened and what they need to do. At first, it seems that the situation is very serious because the message contains logos of law enforcement agencies and the flag of the United States of America. Also, at the beginning of the message users find out that “willful copyright infringement is a federal crime that carries penalties of up to five years in federal prison, a $250, 000 fine, forfeiture and restitution.” To be frank, thousands of users keep pirated software on their computers. Therefore, a bunch of them believe that they are in trouble and decide to pay a fine of $250 (approximately 0.37 Bitcoin). It is said that the fine has to be paid within 3 days. If not, “a warrant will be issued for your arrest, which will be forwarded to your local authorities.” Nobody wants to go to jail, so it is not surprising that people decide to pay money. Believe us; it is not worth transferring money because they will end up in the pockets of cyber criminals. Also, it is not very likely that your files will be unlocked even though VirLock Ransomware promises to send you the “special restoration software.” As our experience shows, the free decryptor that can unlock files free of charge is released sooner or later, which means that it might be possible to restore the locked files in the future.

From the technical perspective, VirLock Ransomware makes many changes as well. Researchers have noticed that it creates folders with random names in %ALLUSERSPROFILE% and %USERPROFILE%. Also, it creates Values in the Run registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run) to ensure that it stays put after the PC reboot and launches the moment Windows boots up. These Values will have random names as well; however, they will have the Value data similar to %USERPROFILE%\[random folder]\[random file].exe and %ALLUSERSPROFILE%\[random folder]\[random file].exe, so you could easily recognize them. Once you remove the ransomware infection fully, you will no longer see the modifications it has made too.

Researchers are sure that VirLock Ransomware is distributed like other well-known ransomware infections, i.e. it is spread through spam emails. Yes, it is enough to open an infectious email attachment, which often looks like a harmless PDF or DOC file, to allow malicious software to enter the system. We cannot blame those users because these spam emails are made to look like they are sent from trustworthy companies. If you wish to protect your PC from harm, you should ignore all the spam emails you receive. We also suggest installing trustworthy antimalware tool to prevent malware from sneaking on the system secretly.

Unfortunately, it is not easy to remove VirLock Ransomware from the system. First of all, you will need to start your Windows in Safe Mode with Networking, display hidden files and folders, and then locate and remove files and Values that belong to this infection. In fact, you have two choices. You can download a trustworthy scanner, e.g. SpyHunter after you start Windows in Safe Mode with Networking and use it or erase this threat manually by using our step-by-step instructions. Of course, the automatic method is easier and quicker, but you are the only who can decide how to remove the ransomware infection.

Delete VirLock Ransomware

Start Windows in Safe Mode with Networking

Windows XP/Windows Vista/Windows 7

1. Restart your computer.
2. Keep tapping F8 before the Windows OS boots up.
3. Select Safe Mode with Networking from the Windows Advanced Options Menu using arrow keys.
4. Tap Enter.

Windows 8/8.1/10

1. Press the Power button at the Windows login screen.
2. Hold the Shift key and click Restart.
3. Open Troubleshoot.
4. Select Advanced options.
5. Select Startup Settings.
6. Click Restart.
7. Tap F5 on your keyboard.

Show hidden files and folders

Windows XP

1. Click on the Start button.
2. Select Control Panel.
3. Open Appearance and Themes.
4. Click Folder Options.
5. Open the View Tab and enable Show hidden files and folders under Hidden files and folders.

Windows Vista

1. Click on the Start button (the small round button with the Windows flag in the corner).
2. Open Control Panel.
3. Double-click on the Folder Options icon and then click on the View tab if you are in the Classic View.
4. If you are in the Control Panel Home view, click Appearance and Personalization.
5. Click Show Hidden Files or Folders.
6. Mark the button Show hidden files and folders.

Windows 7

1. Select the Start button.
2. Go to Control Panel and then open Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab and select Show hidden files, folders, and drives under Advanced settings.
5. Click OK.

Windows 8/8.1

1. Type folder in the search box and select Folder Options.
2. Open the View tab.
3. Select Show hidden files, folders, and drives. Click OK.

Windows 10

1. Use the search box on the Task bar to find Show hidden files and folders.
2. Enable Show hidden files, folders, and drives which you will find under Advanced Settings.
3. Click OK.

Delete VirLock Ransomware

1. Open the Windows Explorer (Win+E).
2. Enter %USERPROFILE% in the URL bar and tap Enter.
3. Locate and remove the folder, e.g. nWUwAokA (its name consists of random letters).
4. Go to %ALLUSERSPROFILE%.
5. Find and delete the folder having the random name, e.g. dekAoYQc.
6. Remove the Value with the Value Data %USERPROFILE%\[random folder]\[random file].exe from HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
7. Find and delete the Value having the random name from HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
8. Reboot PC.

If you want to be sure that there are no dangerous components of the ransomware infection left and other malicious applications do not hide on your PC, you should scan your computer with a reliable automatic scanner.