News and Analysis

A new ransomware group known as Vect 2.0 has entered the global cyberthreat landscape, operating as a full Ransomware-as-a-Service (RaaS) platform that targets Windows, Linux, and VMware ESXi systems.

The group first appeared in December 2025 and rapidly scaled its activity through February 2026, claiming at least 20 victims across multiple countries and critical industry sectors.

Vect 2.0 is a rebranded evolution of the earlier “Vect” operation, now powered by a custom-built C++ codebase that allows it to run on multiple operating systems with precision.

The group operates on a triple-threat model it openly describes as “Exfiltration / Encryption / Extortion.”

This means it first steals sensitive data, then encrypts it to lock victims out, and finally threatens to publish the stolen files unless a ransom is paid.

This layered approach leaves affected organizations in a difficult position, facing both operational disruption and the threat of public data exposure.

Analysts and researchers at the Data Security Council of India (DSCI) tracked and identified the Vect 2.0 operation through extensive dark web monitoring and ongoing threat intelligence analysis.

Their findings revealed that the group’s Data Leak Site (DLS) dashboard listed 20 active victim cases as of February 28, 2026, with 6 victims having their data leaked publicly and 14 others still in active negotiation.

Victim data was also distributed on well-known cybercrime platforms such as BreachForums, increasing pressure on targeted organizations to pay.

The most targeted countries include Brazil and the United States, each with four victims, followed by India with three. Other affected nations include South Africa, Egypt, Spain, Colombia, Italy, and Namibia.

The sectors impacted most are manufacturing, education, healthcare, and technology, industries that hold large volumes of sensitive data and depend on continuous availability to keep daily operations running.

The group runs its entire infrastructure through TOR hidden services and accepts ransom payments only in Monero (XMR), a privacy-focused cryptocurrency that makes financial tracing difficult.

All affiliate and operator communications use the TOX protocol and a proprietary tool called “Vect Secure Chat.”

New affiliates are charged a $250 USD entry fee in Monero, though this fee is waived for applicants from Commonwealth of Independent States (CIS) countries, a detail that points toward operators likely based in Russia or Belarus.

Multi-Platform Infection Mechanism and Defense Evasion

Vect 2.0 deploys separate, purpose-built executables for each targeted platform. The Windows payload is a file named “svc_host_update.exe,” crafted to blend in with legitimate Windows system processes.

For Linux and VMware ESXi environments, the group deploys a dedicated binary called “enc_esxi.elf.” Once executed, the ransomware encrypts files and appends the “.vect” extension.

Victims then find ransom notes titled “VECT_RECOVERY_GUIDE.txt” or “README_VECT.html” directing them to a negotiation portal through a TOR-based link.

Vect 2.0 Ransom Note (Source – DSCI)

To avoid detection, Vect 2.0 uses a Safe Mode Boot technique (MITRE ATT&CK T1562.009), forcing the compromised system to restart in Safe Mode where most endpoint security tools remain inactive.

This gives the ransomware a clear window to encrypt data without interference. Initial access is typically gained through stolen or weak credentials (T1078), exposed RDP or VPN services (T1133), or phishing emails (T1566).

After gaining entry, the group moves laterally across the network through SMB shares and WinRM, collects data from local systems and shared drives, and then exfiltrates it through TOR-encrypted channels before triggering encryption.

Organizations can reduce risk by blocking known Vect 2.0 IP addresses such as 158.94.210.11 (Port 8000) and restricting outbound TOR traffic at the network perimeter.

Security teams should set up alerts for bcdedit command activity and any unexpected Safe Mode reboots, as these are signs of an active evasion attempt.

Multi-factor authentication (MFA) must be enforced on all remote access services, including RDP, VPN, and ESXi interfaces.

Following the 3-2-1 backup rule, keeping three data copies with one stored offline, ensures recovery without paying a ransom. Regular phishing awareness training for all employees remains equally important.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Vect 2.0 RaaS Operation Targets Windows, Linux, and ESXi Systems appeared first on Cyber Security News.