VECT 2.0 Ransomware Destroys Files on Windows, Linux, and ESXi
Key Takeaways VECT 2.0 is a new ransomware variant that functions as a data wiper due to a critical encryption flaw. It permanently destroys files larger than 128 KB on Windows, Linux, and VMware...
Key Takeaways
- VECT 2.0 is a new ransomware variant that functions as a data wiper due to a critical encryption flaw.
- It permanently destroys files larger than 128 KB on Windows, Linux, and VMware ESXi systems.
- Recovery is impossible even if a ransom is paid, as the encryption process itself renders most data unrecoverable.
- The ransomware operates as a Ransomware-as-a-Service (RaaS) and has an open affiliate model, making it accessible to a wider range of threat actors.
VECT 2.0 Ransomware: A Destructive Flaw Turns Encryption into Data Wiping
A new ransomware strain, VECT 2.0, is drawing significant attention within the cybersecurity community, not merely for its encryption capabilities but for a fundamental flaw that transforms it into an unintentional data wiper. This variant’s design defect leads to the irreversible destruction of any file exceeding 128 KB on compromised Windows, Linux, and VMware ESXi systems, making data recovery impossible, irrespective of ransom payment.
Table Of Content
- Key Takeaways
- VECT 2.0 Ransomware: A Destructive Flaw Turns Encryption into Data Wiping
- Evolution and Reach of VECT Ransomware
- Unveiling the Operation: Check Point’s Investigation
- The Critical Flaw: Nonce Handling Leads to Data Destruction
- The Nonce-Handling Flaw That Destroys Large Files
- What You Should Do
Evolution and Reach of VECT Ransomware
VECT ransomware first emerged in December 2025, appearing on a Russian-language cybercrime forum as a Ransomware-as-a-Service (RaaS) offering. The group quickly escalated its operations, claiming its initial two victims in January 2026. A significant expansion occurred in February 2026 with the release of version 2.0, which extended its destructive capabilities across Windows, Linux, and VMware ESXi environments.
The malware gained broader notoriety in March 2026 following an announced partnership between VECT and TeamPCP. TeamPCP is a known threat actor responsible for supply-chain attacks that have injected malicious code into widely used software packages, including Trivy, Checkmarx KICS, LiteLLM, and Telnyx, thereby impacting a substantial number of downstream users.
Unveiling the Operation: Check Point’s Investigation
Analysts at Check Point Research successfully identified and analyzed all three VECT 2.0 variants. Their breakthrough came after gaining access to the ransomware’s builder panel via a BreachForums account. This investigation further revealed an astonishing partnership: VECT allied with BreachForums itself, offering every registered forum member free access to deploy the ransomware as an affiliate. This open-affiliate model bypasses traditional vetting processes, drastically lowering the entry barrier for less experienced cybercriminals to participate in ransomware campaigns.
The ransomware, developed in C++, targets all three platforms using statically compiled executables that share a common codebase. Each variant employs the ChaCha20-IETF (RFC 8439) cipher through the libsodium cryptographic library. Encrypted files are renamed with the .vect extension, and a ransom note, named !!!READ_ME!!!.txt, is dropped on affected systems. Despite a seemingly polished builder panel, Check Point noted that the technical execution of the ransomware itself falls short of professional standards.
The Critical Flaw: Nonce Handling Leads to Data Destruction
The most alarming discovery concerning VECT 2.0 is a critical coding flaw that effectively transforms the ransomware into a data wiper. Any file exceeding 131,072 bytes (128 KB) is not properly encrypted; instead, it becomes permanently unrecoverable. This flaw directly targets the very data that organizations rely on for their operations.
The Nonce-Handling Flaw That Destroys Large Files
The root of this problem lies in a fundamental error in how VECT 2.0 manages cryptographic nonces during file encryption. When processing a large file, the malware divides it into four distinct chunks. Each chunk is then encrypted using a newly generated, random 12-byte nonce. However, all four encryption calls write their respective nonces into the same shared memory buffer. This design means that each new nonce overwrites the previous one. Consequently, by the time the encryption process concludes, only the nonce from the fourth and final chunk remains and is written to the encrypted file on disk.
Since ChaCha20-IETF decryption necessitates both the encryption key and the precise matching nonce to reverse each encrypted chunk, the initial three-quarters of every large file become irrecoverable by any means. The nonces for these initial chunks are never saved to disk, stored in the registry, or transmitted to the attacker’s server across any of the three variants. This means that even if a victim were to pay the ransom in full, the operator would be unable to provide a functional decryptor because the essential nonces for decryption were permanently lost the moment the buffer was overwritten. A threshold of just 128 KB encompasses virtually all significant file types, from virtual machine disk images and databases to backups, spreadsheets, and email archives.
Check Point Research confirmed that this critical flaw is present in all three platform variants and predates the 2.0 release, indicating it has existed in earlier deployments without ever being rectified.
What You Should Do
- Maintain robust, offline, and air-gapped backups that are inaccessible via network shares or lateral movement within your infrastructure.
- Implement monitoring for indicators of compromise such as bulk process terminations, sudden deletion of shadow copies, and widespread file renaming to the .vect extension, which can provide early warning of an active infection.
- Given VECT’s partnership with TeamPCP, rigorously validate the integrity of all third-party software dependencies and supply chain components.
- Security teams should monitor for behavioral indicators associated with this ransomware, including PowerShell-based disabling of Windows Defender, event log clearing activity, and unusual safe-mode boot configuration changes.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.