News and Analysis

A newly documented ransomware strain called VECT 2.0 has drawn serious attention from the cybersecurity community for a deeply damaging flaw in its design.

Unlike typical ransomware that locks files and demands payment for decryption, VECT 2.0 permanently destroys any file larger than 128 KB, making recovery impossible even if a victim pays the ransom.

VECT Ransomware first appeared in December 2025 on a Russian-language cybercrime forum, operating as a Ransomware-as-a-Service (RaaS) program.

The group claimed its first two victims in January 2026 and released version 2.0 in February 2026, expanding its reach across Windows, Linux, and VMware ESXi systems.

The malware gained more visibility in March 2026 when VECT announced a partnership with TeamPCP, a threat actor behind supply-chain attacks that injected malware into widely-used packages including Trivy, Checkmarx KICS, LiteLLM, and Telnyx, affecting a large number of downstream users.

Check Point Research analysts identified and analyzed all three VECT 2.0 variants after gaining access to the builder panel through a BreachForums account.

Their investigation uncovered that VECT also entered a partnership with BreachForums itself, giving every registered forum member free access to deploy the ransomware as an affiliate.

This open-affiliate model removes the usual vetting process, significantly lowering the barrier for less experienced attackers to join the operation.

Partnership release page on BreachForums (Source – Check Point)

The ransomware is written in C++ and targets all three platforms through statically compiled executables that share a common codebase.

Each variant uses the ChaCha20-IETF (RFC 8439) cipher via the libsodium cryptographic library and renames encrypted files with the .vect extension, dropping a ransom note named !!!READ_ME!!!.txt on each compromised system.

Despite its polished builder panel, the technical execution falls well short of a professionally developed ransomware tool.

VECT builder panel (Source – Check Point)

The most alarming aspect of VECT 2.0 is a critical coding flaw that effectively turns it into a data wiper.

Any file exceeding 131,072 bytes (128 KB) is not properly encrypted but instead rendered permanently unrecoverable, targeting the very assets organizations depend on to keep operations running.

The Nonce-Handling Flaw That Destroys Large Files

At the heart of the problem is a fundamental error in how VECT 2.0 handles cryptographic nonces during file encryption.

When the malware processes a large file, it divides it into four chunks and encrypts each one using a freshly generated, random 12-byte nonce.

All four encryption calls write their nonces into the same shared memory buffer, meaning each new nonce overwrites the previous one.

By the time encryption finishes, only the nonce from the fourth and final chunk survives and gets written to the encrypted file on disk.

Large file processing, 4 chunks encrypted with 4 unique nonces, single nonce appended at EOF (Source – Check Point)

Since ChaCha20-IETF decryption requires both the encryption key and the exact matching nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone.

The discarded nonces are never saved on disk, stored in the registry, or sent to the attacker’s server in any of the three variants. Even if a victim pays the ransom in full, the operator cannot provide a working decryptor because the nonces required for decryption were permanently lost the moment the buffer was overwritten.

At just 128 KB, this threshold captures virtually every meaningful file type, from VM disk images and databases to backups, spreadsheets, and email archives.

Encryption flaw, ESXi version (Source – Check Point)

Check Point Research confirmed this flaw is present in all three platform variants and predates the 2.0 release, having existed in earlier deployments without ever being fixed.

Organizations should keep offline, air-gapped backups that cannot be reached through network shares or lateral movement.

Monitoring for bulk process terminations, sudden shadow copy deletions, and mass file renaming to the .vect extension can provide early warning of an active infection.

Given VECT’s partnership with TeamPCP, validating the integrity of third-party software dependencies is also a critical step.

Security teams should watch for PowerShell-based disabling of Windows Defender, event log clearing activity, and unusual safe-mode boot configuration changes, all of which are key behavioral indicators of this ransomware.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi appeared first on Cyber Security News.