VECT Ransomware 2.0 Revealed as Unintentional Wiper: Critical Encryption Flaw Makes Data Recovery Impossible
Check Point Research reveals VECT 2.0 ransomware has critical encryption flaw that destroys large files, making it an unintentional wiper with no recovery possible.
Breaking: VECT Ransomware Permanently Destroys Large Files Instead of Encrypting Them
A critical flaw in the VECT 2.0 ransomware implementation turns it into an unintentional data wiper for files larger than 128 KB, according to researchers at Check Point Research (CPR). The bug discards three out of four decryption nonces for every file above 131,072 bytes, making full recovery impossible for anyone—including the attackers themselves.
“This effectively makes VECT a wiper for virtually any file containing meaningful data, such as enterprise assets, VM disks, databases, documents, and backups,” CPR stated in their analysis. The flaw exists across all three platform variants—Windows, Linux, and ESXi—and in all publicly available versions.
Misidentified Cipher and Unimplemented Speed Modes
Public reports have incorrectly identified the cipher used. VECT employs raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as previously claimed. There is no Poly1305 MAC and no integrity protection, contradicting initial advertisements and threat intelligence.
Additionally, the advertised encryption speed modes—--fast, --medium, and --secure—are parsed but silently ignored across Linux and ESXi variants. Every execution applies identical hardcoded thresholds regardless of operator selection.
One Flawed Engine Across All Platforms
The Windows, Linux, and ESXi variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw. CPR confirms a single codebase was ported across platforms.
“Professional facade, amateur execution,” CPR notes, highlighting multiple additional bugs: self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that degrades encryption performance it meant to improve.
Background: VECT Ransomware and Its Rise
VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. After claiming its first two victims in January 2026, the group gained public attention through a partnership with TeamPCP, the actor behind multiple supply-chain attacks in March 2026. Those attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.
Shortly after those attacks made headlines, VECT posted on BreachForums announcing their partnership with TeamPCP, aiming to exploit companies affected by those supply-chain attacks. Additionally, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate, gaining access to the ransomware, negotiation platform, and leak site.
Key Timeline
- December 2025: VECT first advertised on Russian cybercrime forum.
- January 2026: First two victims claimed.
- March 2026: Partnership with TeamPCP; supply-chain attacks on Trivy, KICS, LiteLLM, Telnyx.
- Post-March 2026: BreachForums partnership announced; VECT becomes open RaaS.
What This Means
For affected organizations, the encryption flaw eliminates any hope of data recovery—even if a ransom is paid. The ransomware acts as a wiper for virtually all meaningful files, turning a financial extortion threat into a destructive data-loss event. Security teams should treat VECT infections as destructive incidents requiring incident response and backup restoration from clean, offline copies.
Furthermore, the misidentification of the cipher may lead to incorrect threat assessments by defenders. The lack of authentication means that even if decryption were possible, data integrity cannot be guaranteed. The exposed amateur errors in development indicate that VECT operators may be less sophisticated than their professional branding suggests, potentially leading to more operational mistakes in future attacks.
“Organizations should not assume that paying a ransom will recover their data,” warns a CPR spokesperson. “VECT is not a ransomware—it is a wiper disguised as one.”