VECT 2.0 Ransomware Damages Files, Decryptor Cannot
Security professionals are voicing serious concerns over VECT 2.0, a new ransomware strain. A critical flaw means that even after a victim pays the ransom, the attacker’s own decryptor might...
Security professionals are voicing serious concerns over VECT 2.0, a new ransomware strain. A critical flaw means that even after a victim pays the ransom, the attacker’s own decryptor might not fully restore compromised files.
This is not a typical failure tied to weak defenses or victim error. The damage, in many cases, is baked directly into the malware’s design and leaves victims with broken files they cannot cleanly recover.
VECT 2.0 is a 64-bit Windows-based ransomware that targets business data including documents, PDFs, archives, backups, databases, and virtual disks.
Rather than targeting only specific file types, it walks accessible paths and skips a short exclusion list, meaning a wide range of important files fall within its scope. The malware is part of a broader family, with related builds also spotted under the DEVMAN 3.0 branding.
Researchers at Morphisec analyzed a Windows VECT 2.0 sample in detail, uncovering how the malware’s own design works against victim recovery.
They found that VECT can leave files renamed, partially encrypted, or structurally broken in ways that defeat even the attacker’s own recovery tool.
Morphisec said in a report shared with Cyber Security News (CSN) that the flaw extends well beyond a previously known nonce-loss bug documented by Check Point Research.
One of the most alarming findings is that VECT renames a file before it begins encrypting it. The malware appends the .vect extension first, then opens the file to modify its content.
This means a file with the .vect extension is not necessarily encrypted at all — it could be plaintext or only partially changed. That detail makes recovery challenging, since the extension cannot be taken as proof of what happened to any given file.
The malware also stores almost no metadata alongside encrypted files that could assist recovery. It appends only a 12-byte trailer holding the last encryption nonce from the operation, with no version field, no original file size, and no chunk information.
This bare-bones footprint makes it nearly impossible for any decryptor to reconstruct what the malware actually did to each file.
VECT 2.0 Ransomware
For files larger than 128 KB, VECT splits the content into four sections and encrypts a 32 KB block at the start of each using four different keys. Only the final key is saved to disk when the process finishes.
That means three of the four encrypted blocks are permanently out of reach for the built-in decryptor, because the data needed to reverse them is never retained.
Morphisec also uncovered a buffer-size mismatch in the single-pass encryption path. Files between 32 KB and 128 KB can enter a code path where the destination buffer is too small for the incoming data.
Depending on runtime behavior, the file may be renamed without encryption taking place, fail midway through, or end up in an inconsistent state that cannot be cleanly repaired.
Shared Buffers and Concurrent Processing Failures
VECT uses multiple worker threads to process files at the same time, but the buffers these threads rely on for file paths and content reads are shared globally across all workers.
When two threads handle different files at once, one can overwrite path or content data that another worker is still actively using.
This race condition means a single VECT incident can produce files in several very different states. One file might be only renamed, another fully encrypted, and a third left partially modified in a way that neither party can cleanly reverse.
A generic decryptor follows the attacker’s assumptions about file format, but VECT’s own implementation repeatedly violates those assumptions.
Given these risks, security teams are strongly encouraged to deploy prevention-first solutions that can stop ransomware before encryption begins.
Behavioral endpoint protection is far better suited to catching this threat early in the chain. Once files have been processed by VECT, even paying the ransom offers no guarantee of a full recovery.
Indicators of Compromise (IoCs):-
The Morphisec report does not list specific file hashes, IP addresses, command-and-control domains, or URLs as traditional IoCs. The sole artifact consistently associated with VECT 2.0 activity is the file extension it appends during processing, noted below for threat hunting and triage purposes.
| Type | Indicator | Description |
|---|---|---|
| File Extension | .vect | Extension appended to targeted files before encryption begins; presence does not confirm successful encryption |
| Binary Type | 64-bit Windows PE | VECT 2.0 sample identified as a 64-bit Windows Portable Executable |
| Malware Family Branding | DEVMAN 3.0 | Related VECT-family build observed with alternate branding, used to identify common vs. build-specific behavior |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.