VECT Ransomware's Encryption Flaw Turns It Into a Wiper, Researchers Warn

Breaking: VECT 2.0 Ransomware Permanently Destroys Large Files Due to Critical Encryption Flaw

Check Point Research (CPR) has discovered that VECT 2.0 ransomware does not encrypt large files—it irreversibly destroys them. A fatal flaw in the encryption implementation, present across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file larger than 131,072 bytes (128 KB). This makes full recovery impossible, even for the attackers themselves.

"At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data—enterprise assets such as VM disks, databases, documents, and backups included," said CPR in their disclosure. The flaw was confirmed across all publicly available VECT versions.

Cipher Misidentified in Public Reports

CPR also corrected widespread misidentification of the encryption algorithm. VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in several threat intelligence reports and VECT's initial advertisement. There is no Poly1305 MAC and no integrity protection, leaving encrypted data completely unprotected.

Advertised Speed Modes Are Fake

Further analysis revealed that VECT's advertised encryption speed modes—--fast, --medium, and --secure—are parsed but silently ignored. Regardless of operator selection, every execution applies identical hardcoded thresholds. This means the ransomware's claimed flexibility is a complete facade.

One Flawed Engine Across Three Platforms

The Windows, Linux, and ESXi variants share an identical encryption design built on libsodium. They use the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw, confirming a single codebase ported across platforms. "This is a professional facade with amateur execution," said CPR.

Additional Bugs and Design Failures

Beyond the nonce flaw, CPR identified multiple other bugs: self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actively degrades encryption performance instead of improving it.

Background

VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. After claiming its first two victims in January 2026, the group resurfaced by announcing a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as Trivy, Checkmarx's KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.

Shortly after those attacks made headlines, VECT posted on BreachForums announcing the TeamPCP partnership, aiming to exploit companies affected by the supply-chain attacks. Additionally, VECT announced a partnership with BreachForums itself, promising every registered forum user affiliate status—allowing access to the VECT ransomware, negotiation platform, and leak site.

What This Means

This discovery has immediate and severe implications for any organization that may be targeted by VECT. Because the encryption flaw makes large files unrecoverable, traditional backup strategies may fail entirely—victims cannot pay for decryption, as no decryption is possible.

Security teams should reassess their ransomware defense posture, especially regarding file threshold monitoring. The misidentification of the cipher also means that many threat intelligence reports are based on flawed assumptions, potentially leading to incorrect mitigation advice. The VECT group, despite professional presentation, is operating with severely flawed code, which may indicate a lack of deep technical capability. However, the supply-chain partnership with TeamPCP means the distribution network remains dangerous.

Organizations should consider this a wiper threat, not a ransomware threat, and apply appropriate wiper-focused incident response plans. Learn more about VECT's origins and understand the broader impact.