VECT Ransomware Exposed: The Flaw That Turns Encryption into Data Destruction

By ⚡ min read

Check Point Research (CPR) has uncovered critical flaws in VECT 2.0 ransomware, revealing that its encryption implementation is so broken that it permanently destroys files larger than 128 KB rather than encrypting them. This makes VECT a wiper in disguise, unable to recover data even by the attackers. Additionally, CPR found misidentified encryption algorithms, ignored speed flags, and numerous design failures across all platform variants. Below, we answer key questions about this Ransomware-as-a-Service (RaaS) operation, its origins, and the technical details that make it more dangerous than initially believed.

What is VECT ransomware and how did it emerge?

VECT is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. It claimed its first two victims in January 2026 and quickly gained notoriety. In March 2026, VECT announced a partnership with TeamPCP, the group behind several high-profile supply-chain attacks that injected malware into popular software like Trivy, Checkmarx’s KICS, LiteLLM, and Telnyx. This partnership aimed to exploit companies affected by those attacks. Shortly after, VECT posted on BreachForums, declaring a collaboration that would allow every registered forum user to become an affiliate, gaining access to the ransomware, a negotiation platform, and a leak site. This move was unusual because most ransomware groups restrict affiliate participation, but VECT used it to rapidly expand its reach.

VECT Ransomware Exposed: The Flaw That Turns Encryption into Data Destruction
Source: research.checkpoint.com

Why does VECT 2.0 effectively act as a wiper?

The core issue lies in a critical flaw in the encryption implementation. For every file larger than 131,072 bytes (128 KB), VECT discards three out of four decryption nonces. This means only one chunk of the file is encrypted with a recoverable key, while the rest are permanently corrupted. Because the threshold is so low (128 KB), virtually any file containing meaningful data—such as VM disks, databases, documents, and backups—is subject to irreversible destruction. Full recovery is impossible, even for the attacker. CPR confirmed this flaw exists across all publicly available VECT versions, making the ransomware a wiper by accident. In practice, victims cannot pay to unlock their files because the encryption is so broken that no decryption is possible.

What encryption algorithm does VECT actually use?

Public reports have frequently misidentified VECT’s cipher as ChaCha20-Poly1305 AEAD, an authenticated encryption scheme. However, CPR discovered that VECT actually uses raw ChaCha20-IETF (RFC 8439) with no authentication. There is no Poly1305 MAC and no integrity protection. This misidentification appears both in threat intelligence reports and in VECT’s own initial advertising. The lack of authentication means that encrypted data cannot be verified for integrity, and combined with the nonce flaw, it exacerbates the damage. The use of libsodium for cryptographic operations is consistent across all platforms, but the implementation itself is deeply flawed.

VECT Ransomware Exposed: The Flaw That Turns Encryption into Data Destruction
Source: research.checkpoint.com

Are the advertised speed modes functional?

No. VECT’s Linux and ESXi variants include command-line flags --fast, --medium

How are the Windows, Linux, and ESXi variants related?

All three variants share an identical encryption design built on libsodium. They use the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw. CPR confirmed that the codebase was simply ported across platforms with minimal changes. This means the destructive behavior is consistent regardless of the target system. The underlying engine is the same, so any vulnerability discovered in one variant applies to all others. This unified architecture suggests a single developer or team behind all versions, rather than separate efforts.

What other bugs and design issues did CPR identify?

Beyond the nonce flaw, CPR found multiple additional bugs. These include self-cancelling string obfuscation that actually does nothing, permanently unreachable anti-analysis code that never executes, and a thread scheduler that actively degrades encryption performance instead of improving it. The professional facade of VECT—with its polished ads and partnership announcements—belies amateur execution. These issues further undermine the reliability of the ransomware, but from an attacker’s perspective, they may not matter if the goal is simply to cause destruction.

What partnerships did VECT announce?

VECT announced two major partnerships. First, it partnered with TeamPCP, responsible for supply-chain attacks in March 2026 that compromised software packages like Trivy, KICS, LiteLLM, and Telnyx. The goal was to target downstream consumers of those tools. Second, VECT partnered with BreachForums, promising that every registered forum user would become an affiliate. This democratization of access is unusual for RaaS groups. Normally, affiliates must apply and be vetted. By opening up to all BreachForums members, VECT aimed to rapidly scale its operations and increase victim volume.

Recommended

Discover More

McDonald's Marketing Chief Reveals Inside Story of Viral Grimace Shake 'Death' TrendEverything You Need to Know About GitHub Copilot's Shift to Usage-Based BillingHow to Keep Software Delivery Human-Centered When Adopting AIParent’s Guide to PFAS in Infant Formula: What You Need to Know and How to Stay SafeFrom LangChain to Native Agents: Why AI Engineers Are Redesigning Their LLM Stacks