VECT Ransomware 2.0 Revealed as Unintentional Wiper: Critical Encryption Flaw Makes Data Recovery Impossible

By ● min read

<h2>Breaking: VECT Ransomware Permanently Destroys Large Files Instead of Encrypting Them</h2><p>A critical flaw in the VECT 2.0 ransomware implementation turns it into an unintentional data wiper for files larger than 128 KB, according to researchers at <strong>Check Point Research (CPR)</strong>. The bug discards three out of four decryption nonces for every file above 131,072 bytes, making full recovery impossible for anyone—including the attackers themselves.</p><figure style="margin:20px 0"><img src="https://research.checkpoint.com/wp-content/uploads/2026/04/Cover2-1024x576.png" alt="VECT Ransomware 2.0 Revealed as Unintentional Wiper: Critical Encryption Flaw Makes Data Recovery Impossible" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: research.checkpoint.com</figcaption></figure><p>“This effectively makes VECT a wiper for virtually any file containing meaningful data, such as enterprise assets, VM disks, databases, documents, and backups,” <em>CPR stated in their analysis</em>. The flaw exists across all three platform variants—Windows, Linux, and ESXi—and in all publicly available versions.</p><h2>Misidentified Cipher and Unimplemented Speed Modes</h2><p>Public reports have incorrectly identified the cipher used. VECT employs raw <strong>ChaCha20-IETF (RFC 8439)</strong> with <em>no authentication</em>, not ChaCha20-Poly1305 AEAD as previously claimed. There is no Poly1305 MAC and no integrity protection, contradicting initial advertisements and threat intelligence.</p><p>Additionally, the advertised encryption speed modes—<code>--fast</code>, <code>--medium</code>, and <code>--secure</code>—are parsed but silently ignored across Linux and ESXi variants. Every execution applies identical hardcoded thresholds regardless of operator selection.</p><h2>One Flawed Engine Across All Platforms</h2><p>The Windows, Linux, and ESXi variants share an identical encryption design built on <strong>libsodium</strong>, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw. CPR confirms a single codebase was ported across platforms.</p><p>“Professional facade, amateur execution,” <em>CPR notes</em>, highlighting multiple additional bugs: self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that degrades encryption performance it meant to improve.</p><h2>Background: VECT Ransomware and Its Rise</h2><p>VECT Ransomware is a <strong>Ransomware-as-a-Service (RaaS)</strong> program that first appeared in December 2025 on a Russian-language cybercrime forum. After claiming its first two victims in January 2026, the group gained public attention through a partnership with <strong>TeamPCP</strong>, the actor behind multiple supply-chain attacks in March 2026. Those attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.</p><figure style="margin:20px 0"><img src="https://research.checkpoint.com/wp-content/uploads/2026/04/Cover2.png" alt="VECT Ransomware 2.0 Revealed as Unintentional Wiper: Critical Encryption Flaw Makes Data Recovery Impossible" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: research.checkpoint.com</figcaption></figure><p>Shortly after those attacks made headlines, VECT posted on <strong>BreachForums</strong> announcing their partnership with TeamPCP, aiming to exploit companies affected by those supply-chain attacks. Additionally, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate, gaining access to the ransomware, negotiation platform, and leak site.</p><p><a href="#what-this-means">Jump to: What This Means</a></p><h3>Key Timeline</h3><ul><li><strong>December 2025:</strong> VECT first advertised on Russian cybercrime forum.</li><li><strong>January 2026:</strong> First two victims claimed.</li><li><strong>March 2026:</strong> Partnership with TeamPCP; supply-chain attacks on Trivy, KICS, LiteLLM, Telnyx.</li><li><strong>Post-March 2026:</strong> BreachForums partnership announced; VECT becomes open RaaS.</li></ul><h2 id="what-this-means">What This Means</h2><p>For affected organizations, the encryption flaw eliminates any hope of data recovery—even if a ransom is paid. The ransomware acts as a wiper for virtually all meaningful files, turning a financial extortion threat into a destructive data-loss event. Security teams should treat VECT infections as destructive incidents requiring incident response and backup restoration from clean, offline copies.</p><p>Furthermore, the misidentification of the cipher may lead to incorrect threat assessments by defenders. The lack of authentication means that even if decryption were possible, data integrity cannot be guaranteed. The exposed amateur errors in development indicate that VECT operators may be less sophisticated than their professional branding suggests, potentially leading to more operational mistakes in future attacks.</p><p>“Organizations should not assume that paying a ransom will recover their data,” <em>warns a CPR spokesperson</em>. “VECT is not a ransomware—it is a wiper disguised as one.”</p>