VECT Ransomware: A Critical Flaw Turns Ransomware into Unintentional Data Wiper

The Accidental Wiper: VECT Ransomware’s Fatal Flaw

Imagine a ransomware that, instead of holding your data for ransom, permanently destroys it. That’s precisely the reality uncovered by Check Point Research (CPR) in VECT 2.0. This Ransomware-as-a-Service (RaaS) program, which first surfaced in late 2025, carries a devastating encryption bug that makes large files unrecoverable. For victims, this means that even if they pay the ransom, their critical enterprise assets—like virtual machine disks, databases, and backups—are gone forever. In essence, VECT is a wiper in ransomwear’s clothing.

The Critical Encryption Flaw: How a Nonce Error Wipes Files

CPR discovered that VECT 2.0 uses a flawed implementation of ChaCha20-IETF (RFC 8439) encryption. The ransomware splits files into four chunks, each requiring a separate nonce (a unique number used once) for decryption. However, for any file larger than 131,072 bytes (128 KB), the encryption engine discards three of the four nonces. The result? Only the first 32 KB of the file can be decrypted; the rest becomes gibberish. This flaw exists across all three platform variants: Windows, Linux, and ESXi.

Why Large Files Are Doomed

The 128 KB threshold is alarmingly low. In enterprise environments, virtually every meaningful file—documents, spreadsheets, databases, VM disks, and backups—exceeds this size. For example, a 1 GB virtual machine disk would have only its first 32 KB recoverable. The remaining 99.99% of data is permanently lost. This makes VECT a wiper, not a ransomware. Even the attackers cannot reverse the damage because the missing nonces are never stored or transmitted. Full recovery is impossible for anyone.

ChaCha20 Misidentification: No Authentication, No Integrity

Multiple threat intelligence reports and VECT’s own advertisements claimed the ransomware used ChaCha20-Poly1305 AEAD (Authenticated Encryption with Associated Data). CPR found this to be false. VECT uses raw ChaCha20 without any authentication—no Poly1305 MAC tag, no integrity protection. This means encrypted data can be silently corrupted or tampered with without detection. The misidentification underscores the gap between the group’s marketing and its actual code.

Multi-Platform Vulnerability: One Flaw, Three Platforms

VECT 2.0 targets Windows, Linux, and ESXi environments using a single encryption engine built on libsodium. CPR confirmed that all three variants share identical file-size thresholds, the same four-chunk logic, and the same nonce-handling bug. This consistency reveals a unified codebase ported across operating systems, meaning no platform is safe. The flaw is present in every publicly available VECT version since its inception.

Amateur Execution Behind a Professional Facade

Beyond the nonce disaster, CPR identified multiple additional bugs and design failures that betray the group’s amateur coding practices. For instance, the advertised --fast, --medium, and --secure speed modes on Linux and ESXi variants are parsed but silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection. The group also included self-cancelling string obfuscation and permanently unreachable anti-analysis code. Even the thread scheduler, meant to improve performance, actively degrades encryption speed.

Background: VECT’s Emergence and Dangerous Partnerships

VECT debuted in December 2025 on a Russian-language cybercrime forum and claimed its first two victims in January 2026. The group returned to the spotlight after announcing a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. Those attacks injected malware into popular software packages like Trivy, Checkmarx’s KICS, LiteLLM, and Telnyx, affecting a large downstream user base. VECT proactively targeted companies already compromised by TeamPCP, aiming to extort them a second time.

Additionally, VECT announced a partnership with BreachForums, promising every registered forum user affiliate status to use VECT’s ransomware, negotiation platform, and leak site. This move indicated an intent to scale up attacks, but the accidental wiper behavior undermines the entire operation. Victims may refuse to pay if they realize data is already destroyed, and the group risks losing credibility.

Conclusion: A Cautionary Tale in Ransomware Development

VECT 2.0 serves as a stark reminder that even sophisticated-looking ransomware can harbor critical flaws. The accidental wiper behavior, combined with misidentified cryptography and ignored speed modes, shows that professional marketing cannot hide amateur execution. For defenders, the key takeaway is that backups remain essential—but with VECT, even the backup drive may be targeted and permanently lost. Organizations should prioritize comprehensive offline backup strategies and monitor for signs of this specific ransomware variant.