VECT Ransomware Exposed as Accidental Wiper: Critical Encryption Flaw Destroys All Large Files

Breaking: VECT 2.0 Ransomware Permanently Destroys Large Files Instead of Encrypting Them

Check Point Research (CPR) has uncovered a devastating flaw in the VECT 2.0 ransomware that renders it an unintentional wiper for any file larger than 128 KB. The vulnerability means that for files above this threshold, full recovery is impossible—even for the attackers themselves.

“The encryption implementation discards three out of four decryption nonces for every file above 131,072 bytes,” said a CPR spokesperson. “This is not a bug that can be patched; it is a fundamental design failure that makes VECT a wiper for virtually all enterprise data.”

The flaw affects all three platform variants—Windows, Linux, and ESXi—confirming a single flawed codebase ported across environments. Files commonly targeted by ransomware, such as VM disks, databases, documents, and backups, typically exceed 128 KB, meaning they are permanently destroyed upon execution.

Critical Flaw Details

Within every file larger than 128 KB, VECT uses a four-chunk encryption logic but only saves one decryption nonce per file. The other three nonces are generated but never written to disk or transmitted, making decryption impossible. CPR confirmed this flaw is present in all publicly available VECT versions.

“This is not an accidental oversight in a single build—it’s a systemic error repeated across every variant, every version,” the CPR researcher added. “Any organization hit by VECT should treat affected files as permanently lost.”

Misidentified Cipher and Unused Features

Public reports have incorrectly identified VECT’s encryption algorithm as ChaCha20-Poly1305 AEAD. CPR found it uses raw ChaCha20-IETF (RFC 8439) with no authentication. No Poly1305 MAC and no integrity protection exist, leaving encrypted data vulnerable to tampering—though that matters little when recovery is impossible anyway.

Additionally, the advertised --fast, --medium, and --secure encryption speed modes on Linux and ESXi variants are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection, making the performance claims hollow.

“The software presents a professional facade but is amateur hour underneath,” the CPR spokesperson said. “Beyond the nonce flaw, we found multiple other bugs: self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actively degrades encryption performance.”

Background

VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. After claiming initial victims in January 2026, the group gained notoriety through a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. Those attacks injected malware into popular software packages like Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.

In a post on BreachForums, VECT announced the TeamPCP collaboration, aiming to exploit companies affected by those supply-chain attacks. Simultaneously, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate with access to the ransomware, negotiation platform, and leak site.

“This open affiliate model is unusual and dangerous,” noted the CPR spokesperson. “But given the encryption flaw, affiliates using VECT are likely destroying data rather than holding it for ransom—creating irreversible damage to victim organizations.”

What This Means

The VECT ransomware gang presents a credible threat due to its partnerships and supply-chain attack capabilities, but its encryption engine is fundamentally broken for any operation targeting enterprise data. Organizations should treat VECT as a wiper malware, not a ransomware variant. Traditional incident response for ransomware—negotiation, decryption key recovery—is futile.

Security teams must update their detection signatures to identify VECT’s ChaCha20-IETF payload and isolate infected systems immediately. For files over 128 KB on compromised systems, backup restoration is the only recovery path—and backups suspected of being encrypted by VECT should be considered corrupted.

As VECT continues to recruit affiliates through BreachForums, the risk of widespread data destruction grows. This case underscores the need for organizations to verify the integrity of encryption implementations in any ransomware claiming to offer recoverable encryption—because in VECT’s case, the wiper is by design, not by accident.