Critical Flaw Turns VECT 2.0 Ransomware Into Data-Wiping Threat, Researchers Warn

Check Point Research (CPR) has uncovered a devastating flaw in the VECT 2.0 ransomware that causes it to permanently destroy large files instead of encrypting them, turning the malware into a wiper for virtually any data over 128 kilobytes. The vulnerability, present across all three platform variants—Windows, Linux, and ESXi—means complete recovery is impossible for any victim, including the attackers themselves.

“This flaw effectively turns VECT into a wiper for any file containing meaningful data,” said a senior threat researcher at CPR. “Enterprise assets like virtual machine disks, databases, and backups are all affected, making this ransomware-designed attack a data destruction event.”

The issue stems from a critical error in the encryption implementation. For files larger than 131,072 bytes, the ransomware discards three of four decryption nonces, making decryption impossible even with the correct key. CPR confirmed this flaw exists in every publicly available version of VECT.

Background

VECT Ransomware first appeared in December 2025 on a Russian-language cybercrime forum as a Ransomware-as-a-Service (RaaS) program. After claiming its first two victims in January 2026, the group gained notoriety through a partnership with TeamPCP, the actor behind multiple supply-chain attacks in March 2026 that injected malware into popular software like Trivy, Checkmarx’s KICS, LiteLLM, and Telnyx.

Following those attacks, VECT announced a partnership with BreachForums, promising every registered user affiliate status to use the ransomware, negotiation platform, and leak site. This strategy aimed to exploit companies targeted by the supply-chain attacks, broadening the attack surface significantly.

Technical Findings

CPR also discovered that the cipher used by VECT has been misidentified in public reports. While many sources claimed VECT uses ChaCha20-Poly1305 AEAD, the actual implementation is raw ChaCha20-IETF (RFC 8439) with no authentication—meaning there is no Poly1305 MAC and no integrity protection.

Additionally, advertised encryption speed modes (--fast, --medium, --secure) are parsed but silently ignored. Every execution applies identical hardcoded thresholds, regardless of operator selection. This reveals a professional facade hiding amateur execution.

“Beyond the nonce flaw, we identified multiple bugs across all variants—from self-cancelling string obfuscation to a thread scheduler that actually degrades encryption performance,” another CPR analyst noted. “The Windows, Linux, and ESXi variants share identical encryption design built on libsodium, confirming a single codebase ported across platforms.”

What This Means

For enterprises, VECT 2.0 is no longer just a ransomware threat—it’s a wiper that destroys data permanently. Even if victims pay a ransom, full recovery is impossible. The threshold of 128 KB means virtually any file with meaningful data is at risk, including critical business documents, databases, and system backups.

Organizations should prioritize isolating affected systems and verifying backups for integrity, especially those containing large files. The discovery underscores the importance of analyzing ransomware code for implementation flaws that can turn a designed encryption attack into accidental data destruction.

CPR recommends that security teams update detection signatures to identify VECT’s unique behavior and review any partnerships or affiliates that may have been compromised through the BreachForums and TeamPCP connections. Given the wiper-like impact, incident response should focus on data recovery from clean backups rather than paying ransoms.