VECT 2.0 Ransomware: A Critical Encryption Flaw Turns It Into a Wiper

Key Discoveries by Check Point Research

Security analysts at Check Point Research (CPR) have uncovered a severe design flaw in the VECT 2.0 ransomware that renders it far more destructive than intended. Instead of encrypting files for extortion, the ransomware permanently destroys large files—effectively acting as a wiper for any asset exceeding a mere 128 kilobytes. This defect is not limited to one platform; it appears identically across the Windows, Linux, and ESXi variants, confirming that a single codebase was ported without correction.

Additional findings reveal that the advertised cipher—ChaCha20-Poly1305—is a misidentification. The actual encryption uses raw ChaCha20-IETF (RFC 8439) with no authentication, meaning no Poly1305 MAC is applied. Furthermore, the so-called speed modes (--fast, --medium, --secure) are parsed but silently ignored; every operation uses the same hardcoded thresholds. Beyond these issues, CPR identified multiple amateurish bugs—including self-cancelling string obfuscation and a thread scheduler that reduces encryption performance.

The Nonce Handling Flaw: How Encryption Becomes Destruction

At the heart of the problem is a flawed implementation of the nonce (number used once) for the ChaCha20 cipher. For every file larger than 131,072 bytes (128 KB), the ransomware generates four encryption chunks but only writes the nonce for the first chunk into the file header. The nonces for the remaining three chunks are discarded. Because ChaCha20 requires a unique nonce per chunk, decryption of any chunk beyond the first is impossible—even by the attacker who holds the master key.

Given that most meaningful data—VM disks, databases, documents, and backups—far exceeds 128 KB, the only recoverable portion of an affected file is a tiny initial segment. For all practical purposes, the file is destroyed. CPR confirmed this flaw persists in every publicly available version of VECT.

Three Platforms, One Flawed Engine

The VECT ransomware operates as a Ransomware-as-a-Service (RaaS) program, first appearing in December 2025 on a Russian-language cybercrime forum. Its developers ported the same encryption engine to Windows, Linux, and ESXi using the libsodium library. All variants share identical file-size thresholds, the same four-chunk logic, and the same nonce-handling bug. This suggests a single developer or small team with limited testing resources.

Misleading Advertisements and Unimplemented Features

Public threat intelligence reports and VECT’s own initial advertisements incorrectly claimed the use of ChaCha20-Poly1305 authenticated encryption. In reality, there is no authentication tag, leaving encrypted data vulnerable to tampering—though the wiper effect renders tampering moot. The advertised speed flags, designed to let operators balance speed against security, are completely ignored; the ransomware always applies identical encryption parameters.

Background: VECT’s Rise and Partnerships

After claiming its first two victims in January 2026, VECT gained notoriety by announcing a partnership with TeamPCP, the group behind a series of supply-chain attacks in March 2026. These attacks compromised widely used software packages—including Trivy, Checkmarx KICS, LiteLLM, and Telnyx—affecting a large downstream consumer base. Shortly after these incidents made headlines, VECT posted on BreachForums to announce the alliance, aiming to exploit organizations already weakened by the supply-chain compromises.

In an unusual move, VECT also partnered with BreachForums itself, promising each registered forum user automatic affiliate status. This gave every member access to the ransomware, negotiation platform, and leak site—a stark departure from traditional RaaS models that vet affiliates.

Conclusion: A Professional Facade Hiding Amateur Execution

While VECT’s marketing and partnership deals project a sophisticated operation, the underlying code reveals fundamental errors. The nonce flaw alone ensures that no file larger than 128 KB can be restored, making VECT a wiper by accident. Organizations should treat any VECT infection as a destructive data-loss event, not a ransom incident. Security teams are advised to update detection rules to identify the distinctive file patterns left by this flawed encryption engine and to prioritize offline backups as the only reliable defense.