Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
Home/Threats/VECT 2.0 Ransomware Destroys Files on Windows, Linux, and ESXi
Threats

VECT 2.0 Ransomware Destroys Files on Windows, Linux, and ESXi

Key Takeaways VECT 2.0 is a new ransomware variant that functions as a data wiper due to a critical encryption flaw. It permanently destroys files larger than 128 KB on Windows, Linux, and VMware...

Sarah simpson
Sarah simpson
April 29, 2026 4 Min Read
28 0

Key Takeaways

  • VECT 2.0 is a new ransomware variant that functions as a data wiper due to a critical encryption flaw.
  • It permanently destroys files larger than 128 KB on Windows, Linux, and VMware ESXi systems.
  • Recovery is impossible even if a ransom is paid, as the encryption process itself renders most data unrecoverable.
  • The ransomware operates as a Ransomware-as-a-Service (RaaS) and has an open affiliate model, making it accessible to a wider range of threat actors.

VECT 2.0 Ransomware: A Destructive Flaw Turns Encryption into Data Wiping

A new ransomware strain, VECT 2.0, is drawing significant attention within the cybersecurity community, not merely for its encryption capabilities but for a fundamental flaw that transforms it into an unintentional data wiper. This variant’s design defect leads to the irreversible destruction of any file exceeding 128 KB on compromised Windows, Linux, and VMware ESXi systems, making data recovery impossible, irrespective of ransom payment.

Table Of Content

  • Key Takeaways
  • VECT 2.0 Ransomware: A Destructive Flaw Turns Encryption into Data Wiping
  • Evolution and Reach of VECT Ransomware
  • Unveiling the Operation: Check Point’s Investigation
  • The Critical Flaw: Nonce Handling Leads to Data Destruction
  • The Nonce-Handling Flaw That Destroys Large Files
  • What You Should Do

Evolution and Reach of VECT Ransomware

VECT ransomware first emerged in December 2025, appearing on a Russian-language cybercrime forum as a Ransomware-as-a-Service (RaaS) offering. The group quickly escalated its operations, claiming its initial two victims in January 2026. A significant expansion occurred in February 2026 with the release of version 2.0, which extended its destructive capabilities across Windows, Linux, and VMware ESXi environments.

The malware gained broader notoriety in March 2026 following an announced partnership between VECT and TeamPCP. TeamPCP is a known threat actor responsible for supply-chain attacks that have injected malicious code into widely used software packages, including Trivy, Checkmarx KICS, LiteLLM, and Telnyx, thereby impacting a substantial number of downstream users.

Unveiling the Operation: Check Point’s Investigation

Analysts at Check Point Research successfully identified and analyzed all three VECT 2.0 variants. Their breakthrough came after gaining access to the ransomware’s builder panel via a BreachForums account. This investigation further revealed an astonishing partnership: VECT allied with BreachForums itself, offering every registered forum member free access to deploy the ransomware as an affiliate. This open-affiliate model bypasses traditional vetting processes, drastically lowering the entry barrier for less experienced cybercriminals to participate in ransomware campaigns.

The ransomware, developed in C++, targets all three platforms using statically compiled executables that share a common codebase. Each variant employs the ChaCha20-IETF (RFC 8439) cipher through the libsodium cryptographic library. Encrypted files are renamed with the .vect extension, and a ransom note, named !!!READ_ME!!!.txt, is dropped on affected systems. Despite a seemingly polished builder panel, Check Point noted that the technical execution of the ransomware itself falls short of professional standards.

The Critical Flaw: Nonce Handling Leads to Data Destruction

The most alarming discovery concerning VECT 2.0 is a critical coding flaw that effectively transforms the ransomware into a data wiper. Any file exceeding 131,072 bytes (128 KB) is not properly encrypted; instead, it becomes permanently unrecoverable. This flaw directly targets the very data that organizations rely on for their operations.

The Nonce-Handling Flaw That Destroys Large Files

The root of this problem lies in a fundamental error in how VECT 2.0 manages cryptographic nonces during file encryption. When processing a large file, the malware divides it into four distinct chunks. Each chunk is then encrypted using a newly generated, random 12-byte nonce. However, all four encryption calls write their respective nonces into the same shared memory buffer. This design means that each new nonce overwrites the previous one. Consequently, by the time the encryption process concludes, only the nonce from the fourth and final chunk remains and is written to the encrypted file on disk.

Since ChaCha20-IETF decryption necessitates both the encryption key and the precise matching nonce to reverse each encrypted chunk, the initial three-quarters of every large file become irrecoverable by any means. The nonces for these initial chunks are never saved to disk, stored in the registry, or transmitted to the attacker’s server across any of the three variants. This means that even if a victim were to pay the ransom in full, the operator would be unable to provide a functional decryptor because the essential nonces for decryption were permanently lost the moment the buffer was overwritten. A threshold of just 128 KB encompasses virtually all significant file types, from virtual machine disk images and databases to backups, spreadsheets, and email archives.

Check Point Research confirmed that this critical flaw is present in all three platform variants and predates the 2.0 release, indicating it has existed in earlier deployments without ever being rectified.

What You Should Do

  • Maintain robust, offline, and air-gapped backups that are inaccessible via network shares or lateral movement within your infrastructure.
  • Implement monitoring for indicators of compromise such as bulk process terminations, sudden deletion of shadow copies, and widespread file renaming to the .vect extension, which can provide early warning of an active infection.
  • Given VECT’s partnership with TeamPCP, rigorously validate the integrity of all third-party software dependencies and supply chain components.
  • Security teams should monitor for behavioral indicators associated with this ransomware, including PowerShell-based disabling of Windows Defender, event log clearing activity, and unusual safe-mode boot configuration changes.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityMalwareransomwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

BlueNoroff Uses Fileless PowerShell, AI Zoom Lures in New Campaign

Next Post

Vect 2.0 RaaS Targets Windows, Linux, and ESXi Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us