VECT Ransomware Exposed as Accidental Wiper: Critical Encryption Flaw Makes Data Recovery Impossible
Check Point Research (CPR) has revealed a catastrophic flaw in the VECT 2.0 ransomware that permanently destroys large files instead of encrypting them. The bug, present in all variants for Windows, Linux, and ESXi, makes full recovery impossible for any victim—and even the attackers themselves. According to CPR, the flaw effectively turns VECT into a wiper for any file above 128 KB, including virtual machine disks, databases, documents, and backups.
"This is a fundamental implementation failure," said a CPR senior analyst. "VECT's encryption discards three of the four decryption nonces for every file larger than 131,072 bytes. That means the data is gone forever—no amount of ransom payment can bring it back."
Technical Flaw: A Wiper by Accident
The ransomware uses raw ChaCha20-IETF (RFC 8439) encryption without authentication, contradicting earlier reports that claimed it employed ChaCha20-Poly1305. The absence of any integrity protection leaves files permanently corrupted above a 128 KB threshold.
CPR confirmed that the nonce-handling error is identical across the Windows, Linux, and ESXi variants, pointing to a shared codebase ported from libsodium. Further, advertised speed modes (--fast, --medium, --secure) are silently ignored; every execution applies the same flawed thresholds.
Background
VECT first appeared in December 2025 as a Ransomware-as-a-Service (RaaS) on a Russian-language cybercrime forum. After claiming two victims in January 2026, it gained notoriety by partnering with TeamPCP, the group behind supply-chain attacks that injected malware into popular tools like Trivy, Checkmarx KICS, LiteLLM, and Telnyx.
In March 2026, VECT announced its alliance with TeamPCP on BreachForums, aiming to exploit companies hit by those supply-chain attacks. Simultaneously, VECT revealed a separate partnership with BreachForums itself, promising every registered forum user affiliate access to the ransomware, negotiation platform, and leak site.
"This is a dangerous escalation," noted a cybersecurity threat analyst. "By opening up affiliate membership to anyone, VECT is lowering the barrier to entry for cybercrime."
What This Means
For enterprises, the implication is stark: paying a ransom will not recover data. The encryption flaw means files above 128 KB are permanently destroyed. Backup restoration remains the only viable path, but if backups were also targeted, recovery may be impossible.
For the attackers, the flaw undermines their business model. VECT operators cannot decrypt victims' files even if paid, eroding trust in their RaaS platform. However, the partnership with BreachForums could still yield profits from data extortion alone, as stolen data can be leaked regardless of encryption failure.
CPR also identified multiple additional bugs across all variants: self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that degrades encryption performance. These amateurish execution flaws contrast sharply with the group's professional marketing facade.
Organizations should immediately validate their backup integrity and ensure offline storage. If hit by VECT, assume data loss is permanent and do not pay the ransom.