VECT 2.0 Ransomware Unmasked as a Cross-Platform Data Wiper with Unrecoverable Encryption Flaws
Researchers at Check Point Research (CPR) have exposed VECT 2.0 a ransomware strain marketed as a recoverable encryption tool as a cross-platform data wiper that permanently destroys enterprise files. Unlike traditional ransomware, VECT 2.0’s flawed encryption routine renders most critical data mathematically unrecoverable, even for the attackers, making it a destructive threat rather than a viable extortion tool.
How VECT 2.0 Operates
VECT 2.0 targets Windows, Linux, and VMware ESXi systems, processing files larger than 128 KB in four separate chunks using ChaCha20-IETF encryption. However, the malware discards the first three encryption nonces required for decryption without storing them, leaving 75% of each large file irretrievably corrupted. Only the last nonce is appended to the file, making recovery impossible for files exceeding the threshold.
This design flaw affects nearly all enterprise file types, including:
- Virtual machine disk images
- Databases
- Documents and archives
- Backups
Technical Flaws and Misleading Marketing
Despite VECT’s claims of using ChaCha20-Poly1305 AEAD encryption, CPR found it relies on raw ChaCha20-IETF without authentication tags, meaning there is no integrity protection only ciphertext and a single nonce. The malware also includes unused "encryption speed" flags (e.g., --fast, --medium, --secure), which have no functional impact, exposing a gap between its marketing and actual implementation.
Additional issues include:
- Over-threaded encryption, degrading performance despite aggressive CPU-based scaling.
- Unreachable anti-analysis code and ineffective string obfuscation.
- Hardcoded thresholds (128 KB file size, 32 KB chunks) that remain unchanged regardless of operator settings.
RaaS Model and Affiliate Expansion
VECT operates as a Ransomware-as-a-Service (RaaS) program, first advertised on a Russian-language forum in late 2025 and linked to at least two victims by early 2026. The group has since partnered with BreachForums, offering all registered users affiliate access to its ransomware panel, negotiation platform, and leak site. It has also collaborated with TeamPCP, a supply-chain threat actor.
Despite its professional branding, VECT’s low victim count and technical shortcomings suggest weak engineering behind the operation.
Impact: Permanent Data Loss
Security experts warn that paying the ransom will not restore corrupted files, as the encryption design ensures permanent destruction of most enterprise data. Organizations affected by VECT 2.0 should treat the incident as a data-wiping attack rather than a recoverable ransomware case. The flaw has existed since the malware’s earliest observed deployments and remains unpatched.
Source: https://gbhackers.com/vect-2-0-ransomware-wipes/
AboutDFIR cybersecurity rating report: https://www.rankiteo.com/company/aboutdfir
"id": "ABO1777458252",
"linkid": "aboutdfir",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise organizations'}],
'attack_vector': 'Ransomware-as-a-Service (RaaS) deployment',
'customer_advisories': 'Affected organizations should assume permanent data '
'loss and focus on recovery from backups.',
'data_breach': {'data_encryption': 'ChaCha20-IETF (flawed, nonces discarded)',
'file_types_exposed': ['Virtual machine disk images',
'Databases',
'Documents',
'Archives',
'Backups'],
'sensitivity_of_data': 'High (critical enterprise data)',
'type_of_data_compromised': 'Enterprise files (VM disk '
'images, databases, documents, '
'backups, archives)'},
'description': 'Researchers at Check Point Research (CPR) have exposed VECT '
'2.0, a ransomware strain marketed as a recoverable encryption '
'tool, as a cross-platform data wiper that permanently '
'destroys enterprise files. Unlike traditional ransomware, '
'VECT 2.0’s flawed encryption routine renders most critical '
'data mathematically unrecoverable, even for the attackers, '
'making it a destructive threat rather than a viable extortion '
'tool.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'permanent data loss',
'data_compromised': 'Permanent destruction of enterprise files '
'(75% of large files irrecoverable)',
'operational_impact': 'Permanent data loss for critical files (VM '
'disk images, databases, backups, documents)',
'systems_affected': 'Windows, Linux, VMware ESXi'},
'investigation_status': 'Ongoing (research by CPR)',
'lessons_learned': 'Ransomware with flawed encryption can act as a data '
'wiper; organizations should verify encryption integrity '
'before considering ransom payments. Cross-platform '
'threats require unified security measures.',
'motivation': 'Financial gain (extortion), though encryption flaws render it '
'ineffective; potential destructive intent',
'post_incident_analysis': {'corrective_actions': ['Patch encryption flaws (if '
'possible) or treat as data '
'wiper',
'Improve RaaS vetting to '
'prevent flawed malware '
'distribution',
'Enhance cross-platform '
'security for Windows, '
'Linux, and VMware ESXi'],
'root_causes': ['Flawed encryption design '
'(discarding nonces in '
'ChaCha20-IETF)',
'Over-threaded encryption '
'degrading performance',
'Unreachable anti-analysis code '
'and ineffective obfuscation',
'Hardcoded thresholds (128 KB file '
'size, 32 KB chunks)']},
'ransomware': {'data_encryption': 'ChaCha20-IETF (flawed, 75% of large files '
'irrecoverable)',
'ransomware_strain': 'VECT 2.0'},
'recommendations': ['Treat VECT 2.0 incidents as data-wiping attacks (do not '
'pay ransom).',
'Implement robust backup strategies for critical '
'enterprise data.',
'Monitor for RaaS affiliate expansion (e.g., '
'BreachForums, TeamPCP).',
'Verify encryption integrity in ransomware incidents '
'before response actions.'],
'references': [{'source': 'Check Point Research (CPR)'},
{'source': 'Russian-language forum (initial advertisement)'},
{'source': 'BreachForums (affiliate access)'}],
'response': {'remediation_measures': 'Treat as data-wiping attack; do not pay '
'ransom (irrecoverable data)',
'third_party_assistance': 'Check Point Research (CPR)'},
'stakeholder_advisories': 'Security teams should warn organizations about '
'VECT 2.0’s permanent data destruction risks and '
'advise against ransom payments.',
'threat_actor': 'VECT Ransomware Group (affiliated with TeamPCP and '
'BreachForums)',
'title': 'VECT 2.0 Ransomware Unmasked as a Cross-Platform Data Wiper with '
'Unrecoverable Encryption Flaws',
'type': 'Ransomware (Data Wiper)',
'vulnerability_exploited': 'Flawed ChaCha20-IETF encryption routine '
'(discarding nonces)'}