VECT Ransomware: How a Critical Encryption Flaw Turns It Into an Accidental Wiper

Overview

In the evolving landscape of ransomware, VECT initially appeared as a promising Ransomware-as-a-Service (RaaS) program in December 2025. However, a deep dive by Check Point Research uncovered a catastrophic design flaw: for any file larger than 128 KB, VECT permanently destroys the data instead of encrypting it—even the operators themselves cannot recover it. This tutorial examines the technical underpinnings of that flaw, explaining why VECT is effectively a wiper for most meaningful files, and why its supposedly professional codebase is riddled with amateur mistakes.

VECT Ransomware: How a Critical Encryption Flaw Turns It Into an Accidental Wiper — Source: research.checkpoint.com

Prerequisites

Before diving into the analysis, readers should be comfortable with:

Basic understanding of symmetric encryption (stream ciphers, nonces, authentication).
Familiarity with ransomware operation models (RaaS, affiliates, leak sites).
Ability to read pseudo-code and understand file I/O routines.
Some knowledge of C/C++ and the libsodium library is helpful but not required.

Step-by-Step Analysis of the VECT Encryption Flaw

Step 1: Understanding VECT’s Encryption Engine

VECT uses raw ChaCha20-IETF as specified in RFC 8439, with no authentication. This is not the ChaCha20-Poly1305 AEAD commonly used in modern crypto. The cipher operates in a stream mode, generating a keystream from a 256-bit key and a 96-bit nonce (plus a 32-bit block counter). For each encryption operation, the nonce must be unique—reusing a nonce under the same key enables trivial keystream recovery.

The encryption routine processes files in chunks. VECT divides a file into four fixed-size chunks (up to 131,072 bytes each, i.e., 128 KB). Each chunk gets its own nonce, which is stored together with the encrypted chunk in the output file. The nonce is critical for decryption: without it, the keystream cannot be regenerated.

Step 2: The 128 KB Threshold and the Nonce Bug

Now the fatal flaw: when a file exceeds 131,072 bytes (128 KB), VECT writes the encrypted data but discards three out of four nonces. Only the nonce for the first chunk is retained; the others are overwritten or simply never written to the output. This means that for every file larger than 128 KB, only the first 128 KB can ever be decrypted. The remaining chunks—typically containing the bulk of the data—are permanently lost.

The following pseudo-code illustrates the nonce-handling logic:

# Pseudocode equivalent of VECT's encryption
for each file:
    if file_size > 131072:
        num_chunks = 4
    else:
        num_chunks = file_size / 32768  # actually derived
    
    for i in range(num_chunks):
        chunk = read_chunk(file, i, 131072)
        nonce = generate_nonce()
        encrypted = chacha20_encrypt(key, nonce, chunk)
        # Bug: write_encrypted_chunk() only saves nonce for chunk 0
        if i == 0:
            write_encrypted_chunk(encrypted, nonce)
        else:
            write_encrypted_chunk(encrypted)  # nonce lost!

This bug exists identically in the Windows, Linux, and ESXi variants, confirming a single codebase.

Step 3: Impact on Enterprise Assets

Enterprise files such as virtual machine disk images (VMDK, VHDX), SQL database files, Office documents, and backup archives are typically far larger than 128 KB. For example, a standard VM disk might be 40 GB; after VECT encryption, only the first 128 KB is recoverable—the rest is garbage. This effectively makes VECT a wiper for any file containing meaningful data.

Even the ransomware operators cannot help: they have no master key or backup nonces. The flaw is embedded in their own encryption tool.

Step 4: Advertised Speed Modes Silently Ignored

VECT’s command-line interface includes --fast, --medium, and --secure flags on Linux and ESXi. However, these are parsed but silently ignored. The encryption code applies the same hardcoded thresholds regardless of the flag. This means operators cannot adjust the behavior even if they suspect problems—the tool always runs in a fixed, broken mode.

Step 5: Multiple Additional Bugs and Design Failures

Beyond the nonce issue, researchers found several other amateur mistakes:

Self-cancelling string obfuscation: The code applies XOR obfuscation to strings but then immediately XORs again with the same key, effectively canceling it out.
Permanently unreachable anti-analysis code: Blocks of code are placed behind conditional branches that can never be true, adding dead weight.
Ineffective thread scheduler: A custom thread scheduler intended to improve encryption performance actually introduces overhead, slowing operations.

Common Mistakes in Public Reporting

Mistake 1: Misidentifying the Cipher

Several threat intelligence reports and even VECT’s own advertisements claim the ransomware uses ChaCha20-Poly1305 AEAD. In reality, VECT uses raw ChaCha20-IETF with no authentication tag and no Poly1305 MAC. This mistake matters because analysts expecting authenticated encryption may overlook the complete lack of integrity protection—data can be tampered with undetectably during exfiltration or recovery attempts.

Mistake 2: Assuming Recovery Is Possible

Because the nonce flaw is not widely known, victims or incident responders may assume that payment will restore files. In fact, even if the attackers cooperate, they cannot generate the discarded nonces. Full recovery is impossible for any file above 128 KB.

Mistake 3: Overlooking the Multi-Platform Uniformity

Many analyses treat Windows, Linux, and ESXi versions as separate products with independent codebases. VECT, however, ports the same flawed engine across all three, meaning the identical vulnerability impacts every platform. Defenders should not assume that ESXi or Linux variants are safer.

Summary

VECT ransomware began as a professional-looking RaaS in late 2025, partnering with TeamPCP and BreachForums. But its encryption engine harbors a critical bug: for files larger than 128 KB, three out of four nonces are discarded, making decryption impossible for the vast majority of enterprise data. The cipher is misidentified as ChaCha20-Poly1305 when it is actually unauthenticated ChaCha20-IETF. Additional bugs like ignored speed flags, self-cancelling obfuscation, and a flawed thread scheduler further erode any pretense of quality. Security teams analyzing VECT must understand these details to advise victims accurately: no payment can restore lost data.

Tags: