Introduction

In the ever-evolving landscape of cyber threats, ransomware remains a persistent danger. However, not all ransomware is created equal. Recent research from Check Point Research (CPR) has uncovered a critical flaw in the VECT 2.0 ransomware that fundamentally alters its behavior—turning what should be a file-encrypting menace into a destructive wiper for virtually any meaningful data. This article dives deep into the technical shortcomings, misreported features, and the surprising amateurish execution behind a seemingly professional ransomware-as-a-service (RaaS) operation.

A Critical Flaw: Encryption That Destroys Instead of Protecting

The most alarming finding from CPR is that VECT 2.0 permanently destroys files larger than 131,072 bytes (128 KB) rather than encrypting them. This is not a deliberate feature but a catastrophic bug in the encryption implementation. The flaw lies in the handling of decryption nonces: for every file above the 128 KB threshold, three out of four nonces are discarded. As a result, full recovery becomes impossible—even for the attacker who holds the decryption key. Since the threshold is only 128 KB, virtually any file with meaningful data—such as virtual machine disks, databases, documents, and backups—is rendered permanently unrecoverable. This effectively makes VECT a wiper for enterprise assets, a fact that CPR confirmed across all publicly available versions of the ransomware.

Misidentification of Encryption Algorithms

Public reporting on VECT has frequently misidentified the cipher it uses. Contrary to claims in multiple threat intelligence reports—and even VECT’s own initial advertisements—the ransomware does not use the authenticated encryption scheme ChaCha20-Poly1305 (AEAD). Instead, CPR found that VECT employs raw ChaCha20-IETF (RFC 8439) without any authentication. This means there is no Poly1305 message authentication code (MAC) and no integrity protection. The absence of authentication further compounds the data destruction issue, as there is no way to verify that encrypted content remains intact—though with the nonce flaw, that point is largely moot.

Advertised Speed Modes That Do Nothing

VECT’s Linux and ESXi variants include command-line flags such as --fast, --medium, and --secure, which are advertised to adjust encryption speed. However, CPR discovered that these flags are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of the operator’s selection. This not only misleads affiliates but also eliminates any possibility of optimizing performance for different environments—a basic expectation for a professional-grade ransomware tool.

A Shared Codebase Across Platforms

Despite targeting three different operating systems—Windows, Linux, and VMware ESXi—VECT relies on a single, flawed encryption engine. The code, built on the libsodium library, shares identical file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw across all platforms. This confirms that the developers ported a common codebase rather than tailoring implementations per OS. The uniformity means that the destructive flaw affects every victim, regardless of platform, and highlights a lack of rigorous testing before deployment.

Professional Façade, Amateur Execution

Beyond the catastrophic nonce flaw, CPR identified numerous additional bugs and design failures in all three variants. These include self-cancelling string obfuscation that actually makes analysis easier, permanently unreachable anti-analysis code, and a thread scheduler that degrades encryption performance instead of improving it. The combination of these issues paints a picture of developers who prioritized a polished appearance over solid engineering. The result is a ransomware strain that not only fails to deliver on its promises but also inadvertently destroys the data it was meant to hold for ransom.

Background: The Rise of VECT Ransomware

VECT Ransomware first appeared in December 2025 on a Russian-language cybercrime forum as a Ransomware-as-a-Service (RaaS) offering. After claiming its first two victims in January 2026, the group gained notoriety by announcing a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. Those attacks injected malware into popular software packages such as Trivy, Checkmarx’s KICS, LiteLLM, and Telnyx, affecting a large downstream consumer base. Shortly after these attacks made headlines, VECT posted on BreachForums, promoting the partnership with the goal of exploiting companies hit by those supply-chain compromises.

In addition, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate and gain access to the VECT ransomware, its negotiation platform, and leak site. This open affiliate model—unusual in the RaaS ecosystem—further underscores the amateurish approach, as it dilutes control and increases operational security risks for the group.

Conclusion

VECT 2.0 stands as a cautionary tale in the ransomware world. While it markets itself as a professional tool with advanced features, the reality is a flawed encryption engine that destroys data instead of ransoming it, misrepresented algorithms, useless speed modes, and a shared codebase that amplifies every bug across platforms. Organizations should be aware that if hit by VECT, recovery is impossible—even if they pay. This makes robust backups and proactive security measures more critical than ever.