Vect Ransomware Turns Out to Be a Wiper, Destroying Victims’ Data Instead of Encrypting It
A recent wave of supply-chain attacks targeting tools like Trivy and LiteLLM has left victims with little hope of data recovery, even after paying ransoms. According to Check Point Research, the Vect ransomware group partnering with TeamPCP isn’t actually encrypting files but instead permanently wiping any data larger than 128KB.
Since January, Vect’s leak site has listed 25 organizations, with four added since March, when extortion efforts tied to the supply-chain attacks began. However, it remains unclear how many of these victims are linked to the Trivy and LiteLLM compromises. On April 15, Vect claimed two major targets Guesty (700GB) and S&P Global (250GB) allegedly tied to earlier TeamPCP breaches, though these claims lack independent verification. Neither company responded to inquiries.
Vect and TeamPCP, which previously compromised security and developer tools like Checkmarx and Telnyx, announced their partnership on BreachForums, boasting of plans for larger supply-chain attacks and follow-on ransomware campaigns. Vect also integrated its ransomware-as-a-service (RaaS) with BreachForums, allowing registered users to access its malware, negotiation platform, and leak site.
Check Point researchers gained access to Vect’s ransomware builder and discovered critical flaws. Instead of encrypting files, Vect 2.0 destroys any file exceeding 128KB by discarding essential decryption keys. The malware, available for Windows, Linux, and ESXi, uses libsodium-based encryption but fails to properly handle decryption nonces, making recovery impossible even for the attackers. Additional bugs and poor implementation further undermine its effectiveness, with researchers describing the code as "not technically sophisticated" and "amateur execution."
The discovery confirms that victims of these attacks whether from supply-chain compromises or direct infections face irreversible data loss, regardless of ransom payments.
Source: https://www.theregister.com/2026/04/28/dont_pay_vect_a_ransom/
LiteLLM cybersecurity rating report: https://www.rankiteo.com/company/litellm
S&P Global cybersecurity rating report: https://www.rankiteo.com/company/spglobal
Guesty cybersecurity rating report: https://www.rankiteo.com/company/guesty
Checkmarx cybersecurity rating report: https://www.rankiteo.com/company/checkmarx
"id": "LITSPGGUECHE1777407909",
"linkid": "litellm, spglobal, guesty, checkmarx",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'name': 'Guesty', 'type': 'Company'},
{'name': 'S&P Global', 'type': 'Company'},
{'industry': 'Cybersecurity',
'name': 'Checkmarx',
'type': 'Company'},
{'industry': 'Telecommunications',
'name': 'Telnyx',
'type': 'Company'}],
'attack_vector': 'Supply-chain attack',
'data_breach': {'data_encryption': 'False (data wiped, not encrypted)',
'sensitivity_of_data': 'High (irreversible loss)',
'type_of_data_compromised': 'All file types >128KB '
'(permanently destroyed)'},
'date_detected': '2024-01',
'date_publicly_disclosed': '2024-04-15',
'description': 'A recent wave of supply-chain attacks targeting tools like '
'Trivy and LiteLLM has left victims with little hope of data '
'recovery, even after paying ransoms. The Vect ransomware '
'group, partnering with TeamPCP, is permanently wiping data '
'larger than 128KB instead of encrypting it. The malware, '
'available for Windows, Linux, and ESXi, contains critical '
'flaws that make data recovery impossible.',
'impact': {'data_compromised': 'Permanent data destruction (files >128KB)',
'operational_impact': 'Irreversible data loss',
'systems_affected': ['Windows', 'Linux', 'ESXi']},
'initial_access_broker': {'entry_point': 'Supply-chain compromises (Trivy, '
'LiteLLM, Checkmarx, Telnyx)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Supply-chain attacks can lead to irreversible data loss '
'even if ransom is paid. Ransomware-as-a-service (RaaS) '
'platforms may have critical flaws that prevent data '
'recovery.',
'motivation': 'Extortion (with irreversible data destruction)',
'post_incident_analysis': {'root_causes': 'Critical flaws in Vect 2.0 '
'ransomware (improper decryption '
'key handling, poor '
'implementation)'},
'ransomware': {'data_encryption': 'False (data wiped)',
'ransomware_strain': 'Vect 2.0'},
'recommendations': 'Organizations should verify the legitimacy of ransomware '
'strains before paying ransoms. Enhanced monitoring and '
'segmentation can mitigate supply-chain attack risks.',
'references': [{'source': 'Check Point Research'}, {'source': 'BreachForums'}],
'response': {'third_party_assistance': 'Check Point Research'},
'threat_actor': ['Vect Ransomware Group', 'TeamPCP'],
'title': 'Vect Ransomware Turns Out to Be a Wiper, Destroying Victims’ Data '
'Instead of Encrypting It',
'type': 'Ransomware (Wiper Malware)'}