The VECT 2.0 Encryption Disaster: Ransomware That Wipes Files Instead of Locking Them

Introduction

In a surprising turn of events, researchers at Check Point Software Technologies have uncovered a critical flaw in the VECT 2.0 ransomware that makes it behave more like a destructive wiper than a typical file-encrypting malware. Instead of locking files for ransom, the ransomware permanently destroys large files due to a fundamental error in its encryption implementation. This discovery has serious implications for organizations targeted by this emerging threat, as even paying the ransom cannot restore lost data.

The VECT 2.0 Encryption Disaster: Ransomware That Wipes Files Instead of Locking Them — Source: research.checkpoint.com

Key Findings from Check Point Research

Fatal Nonce Flaw Turns Encryption into Data Destruction

Check Point Research (CPR) identified that VECT 2.0 ransomware, when processing files larger than 131,072 bytes (128 KB), discards three out of four decryption nonces. This error makes full recovery impossible, even for the attackers themselves. As a result, any file above that small threshold—including virtual machine disks, databases, documents, and backups—is effectively destroyed. The ransomware is therefore a wiper by accident, despite being marketed as file-encrypting software.

Misidentified Cipher: Not ChaCha20-Poly1305

Contrary to widely cited threat intelligence reports and VECT's own advertising, the ransomware does not use the ChaCha20-Poly1305 authenticated encryption algorithm with integrity protection. Instead, it relies on raw ChaCha20-IETF (RFC 8439) without any authentication. There is no Poly1305 message authentication code (MAC), meaning there is no way to verify data integrity or prevent tampering.

Advertised Speed Modes Silently Ignored

The --fast, --medium, and --secure command-line flags present in the Linux and ESXi variants are parsed but then silently ignored. Every execution applies identical hardcoded thresholds, regardless of the operator's selection. This means the claimed performance optimization is entirely fake.

One Flawed Engine Across Three Platforms

The Windows, Linux, and ESXi variants of VECT share an identical encryption design built on the libsodium library. They use the same file-size thresholds, the same four-chunk logic for processing, and the same nonce-handling flaw. This confirms that the ransomware was developed from a single codebase ported across platforms, rather than separate implementations.

Multiple Additional Bugs and Design Failures

Beyond the critical nonce flaw, CPR identified numerous other issues in all variants. These include self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actually degrades the encryption performance it was meant to improve. Overall, the ransomware exhibits a professional facade but amateur execution.

Background: VECT Ransomware and Its Partnerships

VECT first appeared in December 2025 on a Russian-language cybercrime forum as a Ransomware-as-a-Service (RaaS) program. It claimed its first two victims in January 2026. The group gained wider attention after announcing a partnership with TeamPCP, the threat actor behind several high-profile supply-chain attacks in March 2026. Those attacks injected malware into popular software packages such as Trivy, Checkmarx's KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.

Soon after those attacks made headlines, VECT posted on BreachForums to announce the partnership with TeamPCP, with the goal of exploiting companies that were compromised in the supply-chain incidents. Additionally, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate and gain access to the VECT ransomware, negotiation platform, and leak site. This unusual move opened the ransomware to a wide range of low-level actors.

Implications for Defenders

The discovery that VECT is effectively a wiper has serious consequences. Organizations targeted by this ransomware cannot rely on the decryption key, even if they pay the ransom. The only reliable defense is robust backup strategies with offline or immutable copies, and proactive threat detection to prevent infection in the first place. Security teams should ensure that their monitoring systems can identify the specific behaviors associated with VECT's flawed encryption process, such as rapid file corruption rather than typical encryption patterns.

Furthermore, the misidentification of the cipher in public reporting highlights the importance of independent technical analysis. Relying solely on threat intelligence reports without verification can lead to incorrect assumptions about a malware's capabilities. Organizations should consult primary research like CPR's findings to update their threat models.

Conclusion

The VECT 2.0 ransomware, despite its professional appearance, contains fundamental flaws that render it more dangerous than intended. Its encryption design inadvertently destroys data, and its advertised features are either absent or broken. As the ransomware landscape evolves, this case serves as a reminder that even sophisticated-sounding malware can be built on shaky foundations. Defenders must remain vigilant and base their protections on verified technical details rather than marketing claims.

Tags: