Breaking News: VECT Ransomware Destroys Data Instead of Encrypting It
Check Point Research (CPR) has uncovered a devastating flaw in the VECT 2.0 ransomware that permanently destroys large files rather than encrypting them. The bug, present across all three platform variants (Windows, Linux, ESXi), makes full recovery impossible for anyone—including the attackers themselves.
“This flaw effectively turns VECT into a wiper for virtually any file containing meaningful data,” said a CPR researcher. “Enterprise assets such as VM disks, databases, documents, and backups are all affected.”
The Critical Encryption Flaw
The flaw stems from a nonce-handling error in the encryption implementation. For every file above 131,072 bytes (128 KB), three of four decryption nonces are discarded. This means that even with the correct decryption key, the data is unrecoverable.
CPR confirmed the flaw is present across all publicly available VECT versions. The threshold of only 128 KB effectively turns the ransomware into a wiper for any file containing meaningful data.
Additional Missteps and Bugs
CPR also found that VECT’s cipher is misidentified in public reports. The malware uses raw ChaCha20-IETF (RFC 8439) with no authentication, not the ChaCha20-Poly1305 AEAD claimed by several threat intelligence sources. There is no Poly1305 MAC and no integrity protection.
Furthermore, the advertised encryption speed modes (--fast, --medium, --secure) are parsed but silently ignored. Every execution applies identical hardcoded thresholds, regardless of operator selection. Additional bugs include self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that degrades encryption performance.
Background: VECT Ransomware and Its Origins
VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. The group claimed their first two victims in January 2026.
They gained public attention in March 2026 after announcing a partnership with TeamPCP, the actor behind several supply-chain attacks. These attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.
Following these attacks, VECT posted on BreachForums announcing the partnership, aiming to exploit companies affected by the supply-chain attacks. Additionally, VECT promised that every registered BreachForums user would become an affiliate, gaining access to the ransomware, negotiation platform, and leak site.
What This Means for Victims and Organizations
The encryption flaw means that any VECT infection targeting large files results in permanent data destruction. Victims should not expect to recover their data even if they pay the ransom.
Organizations must treat any VECT incident as a destructive wiper attack, not a typical ransomware event. Immediate incident response should focus on containment and data restoration from clean backups, not negotiation.
Given the partnership with TeamPCP, companies that were affected by the earlier supply-chain attacks should be especially vigilant. The VECT group’s professional facade masks an amateurish execution that makes them unpredictable and dangerous.
For full technical details, see the background section above. CPR recommends all organizations review their defenses against wiper attacks and ensure that critical data is backed up offline.