VECT Ransomware's Encryption Flaw Turns It Into a Data Wiper, Researchers Warn
VECT ransomware's encryption flaw accidentally wipes large files instead of encrypting, making full recovery impossible, Check Point Research finds.
Breaking News — A critical encryption flaw in the VECT ransomware permanently destroys large files rather than encrypting them, effectively making the malware a wiper for enterprise data, Check Point Research (CPR) announced today.
Researchers discovered that a bug in VECT’s nonce handling discards three out of four decryption keys for every file larger than 128 KB. This means that for any file containing meaningful data—such as virtual machine disks, databases, documents, and backups—full recovery is impossible, even for the attackers themselves.
“VECT is ransomware by design but a wiper by accident,” said a CPR researcher. “No one, including the operator, can restore these files. It’s a catastrophic failure for victims hoping to pay and recover their data.”
Jump to: Background | What This Means
Critical Encryption Flaw Across All Platforms
The flaw affects all three versions of VECT—Windows, Linux, and ESXi—which share the same encryption engine built on libsodium. The bug is present in every publicly available version, CPR confirmed.
Contrary to earlier reports, VECT uses raw ChaCha20-IETF (RFC 8439) without authentication, not ChaCha20-Poly1305. “There is no Poly1305 MAC and no integrity protection,” the report states, meaning data corruption is irreversible.
Speed Modes Are Fake
Advertised encryption speed modes—--fast, --medium, and --secure—are parsed but silently ignored. Every execution applies identical thresholds, regardless of operator selection.
Amateur Execution Behind Professional Facade
CPR also identified multiple bugs, including self-cancelling string obfuscation, unreachable anti-analysis code, and a thread scheduler that actually degrades encryption performance.
Background
VECT is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. Its first victims were claimed in January 2026.
In March 2026, VECT partnered with TeamPCP, the group behind supply-chain attacks that injected malware into popular tools like Trivy, Checkmarx KICS, LiteLLM, and Telnyx. After those attacks made headlines, VECT announced the partnership on BreachForums.
Additionally, VECT partnered with BreachForums itself, promising every registered user affiliate access to the ransomware, negotiation platform, and leak site.
What This Means
For victims, paying the ransom will not restore encrypted files—because they are not encrypted; they are irreparably wiped. Any file larger than 128 KB is permanently destroyed.
“Enterprises that back up large data are especially vulnerable,” the researcher added. “VM disks, databases, and archives are all at risk of total loss.”
Security teams should immediately isolate any VECT-infected systems and treat all affected large files as unrecoverable. The flaw also undermines the ransomware’s credibility, exposing the group as amateurs despite their professional marketing.
- Key takeaway: VECT wipes large files; full recovery impossible.
- Recommendation: Do not pay ransom; focus on restoring from clean backups.