VECT Ransomware Exposed as Unintentional Data Wiper - Critical Encryption Flaw Makes Full Recovery Impossible

Breaking: VECT Ransomware Actually Destroys Files, Not Encrypts Them

Check Point Research (CPR) has discovered that the VECT 2.0 ransomware permanently destroys large files rather than encrypting them, effectively turning the malware into a data wiper. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB).

Full recovery is impossible—even for the attackers themselves. At a threshold of only 128 KB, this makes VECT a wiper for virtually any file containing meaningful data, including enterprise assets such as VM disks, databases, documents, and backups.

“This is not a ransomware failure—it’s a design flaw that makes recovery impossible by design,” said a CPR security researcher. “Victims paying ransoms will never get their data back, even if the attacker wants to decrypt it.”

Misidentified Cipher and Missing Features

CPR also found that the cipher used by VECT has been misidentified in public reporting. The ransomware uses raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in several widely cited threat intelligence reports and VECT’s initial advertisement. There is no Poly1305 MAC and no integrity protection.

Additionally, advertised encryption speed modes are not implemented. The --fast, --medium, and --secure flags present across Linux and ESXi variants are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection.

One Flawed Engine Across Multiple Platforms

CPR confirmed that the Windows, Linux, and ESXi variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout. This confirms a single codebase ported across platforms.

Beyond the nonce flaw, CPR identified multiple additional bugs and design failures across all variants, ranging from self-cancelling string obfuscation and permanently unreachable anti-analysis code, to a thread scheduler that actively degrades the encryption performance it meant to improve. “Professional facade, amateur execution,” the researcher noted.

Background: VECT Ransomware and Its Partnerships

VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. After claiming its first two victims in January 2026, the group returned to the public eye due to an announcement of a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.

Shortly after these attacks made headlines, VECT made a post on BreachForums, announcing their partnership with TeamPCP, with the goal to exploit the companies affected by those supply chain attacks.

Figure 1: Announcement of partnership with BreachForums and TeamPCP.

In addition, VECT announced a partnership with BreachForums itself, promising that every registered forum user will become an affiliate and thus be able to use the VECT ransomware, negotiation platform, and leak site for operations. Traditionally, most ransomware groups allow affiliates to join either base.

What This Means for Victims and the Cybersecurity Community

This discovery has immediate and severe implications. Victims who pay ransom demands will not recover their data—the encryption flaw makes decryption impossible, and the attacker cannot reverse the damage either. For organizations relying on backups, any file over 128 KB that was processed by VECT is permanently destroyed.

CPR recommends that all affected organizations do not pay the ransom and instead focus on restoring from clean, offline backups if available. The flaw also raises questions about the competency of ransomware-as-a-service operators and the risk of supply-chain attacks that distribute such flawed malware. Further analysis is ongoing, and security teams should treat any VECT infection as a data wiper incident.