.jpg)
Vect 2.0 ransomware has been found to wipes large, compromised files instead of merely encrypting them, making recovery impossible – even for the attackers.
This is due to a critical flaw in the encryption implementation. The bug, likely an unintended coding error, was discovered by Check Point Research when investigating the latest version of the Vect ransomware.
Vect is a ransomware-as-a-service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum and was discovered by security researchers in early January 2026.
The group quickly grabbed headlines after it announced on BreachForums that it was partnering with TeamPCP, the threat group behind several supply-chain attacks, such as Trivy, Checkmarx’ KICS, LiteLLM and Telnyx, in March and April 2026.
Additionally, Check Point reported that Vect also announced a partnership with BreachForums itself, promising that every registered forum user will become an affiliate and be granted use of the Vect ransomware, negotiation platform and leak site for operations.
“As of April 2026, this partnership is in full effect,” the Check Point researchers noted in a new report published on April 28.
Vect 2.0: RaaS Ambitions Crumble Under Poor Implementation
Allegedly built from scratch, Vect launched version 2.0 of its ransomware lockers in February 2026 after its rise to fame. Written in C++, the lockers support Windows and Linux hosts as well as VMware ESXi hypervisors. The group claims to have built all three lockers from scratch.
“Additionally, a forum post mentions that dedicated ‘cloud Lockers,’ likely targeting various cloud storage services, will be made available for affiliates that will prove their skills through a quiz or puzzle challenge in the near future,” the Check Point researchers indicated.
After obtaining the Vect ransomware builder via BreachForums, the research team analyzed the three payloads, for Windows, Linux and ESXi.
They found that all files above 131,072 bytes (128 KB) were permanently destroyed rather than being encrypted.
This is due to a critical flaw in the encryption implementation of the ransomware that discards three of four decryption nonces – one-time secret numbers used in an authentication protocol to ensure that each cryptographic communication session is unique.
Specifically, the researchers said that the cipher used in the ransomware encryption system is raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in the group’s initial advertisements of its product and mentioned in some threat intelligence reports.
“There is no Poly1305 MAC and no integrity protection. This effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as virtual machine (VM) disks, databases, documents and backups included,” said the Check Point researchers.
The researcher also confirmed this flaw is present across all publicly available Vect versions and across the three targeted platforms, Windows, Linux and ESXi.
All variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic and the same nonce-handling flaw throughout, “confirming a single codebase ported across platforms,” the report noted.
Additionally, the Check Point researchers identified multiple additional bugs and design failures across all variants of the Vect ransomware, from self-cancelling string obfuscation and permanently unreachable anti-analysis code to a thread scheduler that actively degrades the encryption performance it meant to improve.
“Vect 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel. In practice, the technical implementation falls significantly short of its presentation,” the Check Point report concluded.
.jpeg)
