Threat hunters warn that the cybercrime campaign known as VECT 2.0 acts more like a wiper than a ransomware, as the encryption implementation across Windows, Linux, and ESXi variants has critical flaws that make recovery impossible even for attackers.
The fact that VECT’s locker permanently destroys large files rather than encrypting them means that even victims who choose to pay the ransom are unable to get their data back, as the decryption key is destroyed by the malware while the encryption takes place.
“VECT is marketed as ransomware, but it acts as a data destruction tool for files larger than 131KB, which is most of the files that businesses actually care about,” Eli Smadja, group manager at Check Point Research, said in a statement shared with Hacker News.
“CISOs need to understand that in VECT incidents, payment is not a recovery strategy. The lack of decryption tools to hand over is not because the attacker is unwilling, but because the information needed to build decryption tools is destroyed the moment the software is executed. The focus needs to be on resiliency – offline backups, tested recovery procedures, and rapid containment – not negotiation.”
VECT (now rebranded to VECT 2.0) is a ransomware-as-a-service (RaaS) scheme that first launched its affiliate program in December 2025. On its dark website, the group displays the message “Exfiltration/Encryption/Extortion,” highlighting its triple-threat business model.
According to an analysis released last month by the Data Security Council of India (DSCI), new affiliates are required to pay a $250 joining fee, paid in Monero (XMR). The fee is waived for applicants from Commonwealth of Independent States (CIS) countries, indicating that we are looking to recruit individuals from this region.
In recent weeks, the group has established formal partnerships with cybercrime marketplace BreachForums and hacker group TeamPCP. The aim is to further lower the barrier to entry for ransomware operators and encourage affiliates to launch attacks armed with previously stolen data.
Dataminr noted earlier this month that “the convergence of large-scale supply chain credential theft, maturing RaaS operations, and mass mobilization of dark web forums represents an unprecedented model for industrialized ransomware deployment.”
While this partnership may be a sign of things to come, the company’s data breach site currently only lists two victims, both of which are said to have been compromised by the TeamPCP supply chain attack. Additionally, contrary to the group’s initial claims of using ChaCha20-Poly1305 AEAD for encryption, Check Point’s analysis found that a weaker, unauthenticated cipher with no integrity protection was used.
But that’s not the only problem. C++-based lockers on all three platforms have a fundamental design flaw that causes files larger than 131,072 bytes to be permanently and irretrievably destroyed rather than encrypted.
“The malware encrypts four separate chunks of each ‘big file’ using four newly generated random 12-byte nonces, but only appends the final nonce to a given encrypted file on disk,” Check Point explains. “The first three nonces are required to decrypt each chunk and are generated, used, and silently discarded. They are never stored on disk, in the registry, or sent to the operator.”
“Because ChaCha20-IETF requires both a 32-byte key and an exactly matching 12-byte nonce to undo each chunk, the first three-quarters of every large file is unrecoverable by anyone, including ransomware operators who cannot provide effective decryption tools even after paying the ransom. Because the majority of operationally critical files exceed this ‘large’ threshold, VECT 2.0 actually acts as a data wiper. Ransomware facade. ”
In addition to encrypting files across local, removable, and network-accessible storage, the Windows version of this ransomware features a comprehensive suite of anti-analysis measures targeting 44 specific security and debugging tools, as well as a safe mode persistence mechanism and multiple remote execution script templates for lateral spread.
When “–force-safemode” is active, the locker configures the next boot into Windows Safe Mode and writes its own executable path to the Windows registry so that it runs automatically on subsequent Safe Mode boots. In this case, the operating system is started in a basic state with a limited set of files and drivers.
Additionally, the Windows variant implements under-the-radar environmental detection mechanisms that are never called, allowing security teams running the artifact to avoid triggering evasive responses. ESXi variants, on the other hand, force geofencing and anti-debugging checks before starting the encryption step. I also try to use SSH to navigate laterally. The Linux version uses the same codebase as the ESXi flavor and implements a subset of its features.
The geofencing step checks if it is running in a CIS country and, if so, exits without encrypting the files. Check Point said the move is rather unusual, as most RaaS programs removed Ukraine from their list of CIS countries following Russia’s military invasion in early 2022.
“These checks have been largely removed from ransomware in recent years,” it added. “It is quite unusual for VECT to include such a check and also add Ukraine to its exclusion list. Check Point Research has two theories regarding this observation: either this code was generated by AI, LLM was trained in Ukraine, which is part of the CIS, or VECT used an older codebase of ransomware.”
VECT’s operators are assessed to be novice actors rather than experienced threat actors, not to mention that some of the code may have been generated with the help of artificial intelligence (AI) tools.
“VECT 2.0 offers an ambitious threat profile with multi-platform coverage, an active affiliate program, supply chain delivery via the TeamPCP partnership, and a sophisticated operator panel,” Check Point concluded. “In reality, the technical implementation falls far short of the presentation.”
Source link
