The latest variant of an emerging ransomware may be far more destructive than its operators intended, acting as a wiper that deletes many of an organization’s captured files instead of encrypting them, as typical ransomware does. This scenario makes recovery impossible for defenders while complicating the possibility of holding files for ransom for the attackers.
The Vect 2.0 variant of the ransomware-as-service (RaaS) operation, which first appeared last December, has a flaw across its versions for Windows, Linux, and VMware ESXi that inadvertently and permanently destroys so-called “large files” rather than encrypting them, according to a report published this week by Check Point Software.
For all files of only 128KB or higher, “this effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included,” according to the report. Check Point has confirmed that the flaw, which “discards three of four decryption nonces for every file above 131,072 bytes (128 KB),” is identical across all three platform variants.
The Vect Flaw, Unpacked
The flaw exists because, according to Vect’s ChaCha20-IETF encryption scheme, the malware encrypts four independent chunks of each “large file” using four freshly generated random 12 byte nonces, but appends only the final nonce to the specific encrypted file on disk, according to Check Point.
“The first three nonces, each required to decrypt its respective chunk, are generated, used, and silently discarded,” according to the report. “They are never stored on disk, in the registry, or transmitted to the operator.”
ChaCha20-IETF requires both the 32 byte key and the exact matching 12 byte nonce to unlock each chunk of data, so the first three quarters of every large file are unrecoverable by anyone — even the ransomware operators themselves. “Since the vast majority of operationally critical files exceed this ‘large-size’ threshold, Vect 2.0 functions in practice as a data wiper with a ransomware facade,” according to Check Point.
The variant also demonstrates other incomplete implementation issues, such as: encryption modes that are parsed but never applied, string obfuscation routines that accidentally cancel themselves out, and a cipher that is incorrectly described in public reporting, according to the report.
Attackers and Defenders Both Affected
The wiper flaw creates a scenario where a decryption key is utterly useless. For this reason, it’s likely that it was not the intention of the operators to create a wiper instead of ransomware, since “once that becomes known, people will be less likely to pay the ransom,” Eli Smadja, group manager, products R&D at Check Point, tells Dark Reading.
For defenders, this makes the situation slightly worse, as they no longer will be able to recover all of their files, even if they agree to pay the ransom to do so, Check Point says. “Victims who pay the ransom cannot receive a working decryptor for their largest files, not through operator deception, but because the information required for decryption was irrecoverably destroyed at the moment of encryption.”
They probably wouldn’t realize they can’t recover files only after the ransom is paid and their decryption key doesn’t work, which is why Check Point found it so important to report the flaw in Vect, Smadja says.
In essence, “victims who pay get nothing back,” according to a separate post by researchers at Secure.com, in response to the Check Point findings. This is especially troubling because Vect targets organizations that have critical operational or personal data and often limited downtime tolerance, including those in the manufacturing, education, healthcare, and technology sectors, reads the post.
“These are exactly the environments where file destruction, not mere encryption, causes the most irreversible damage,” the team at Secure.com wrote.
Vect’s Ambitious Start Gone Wrong
Vectr ransomware first appeared on a Russian-language cybercrime forum late last year and quickly claimed its first two victims in January 2026, according to Check Point. Last month, the group again gained attention when it unveiled a partnership with TeamPCP, the actor behind several recent supply-chain attacks that injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM and Telnyx, affecting a large base of downstream consumers.
“Shortly after these attacks made headlines, VECT made a post on BreachForums, announcing their partnership with TeamPCP, with the goal to exploit the companies affected by those supply chain attacks,” according to Check Point. At the time, a researcher told Dark Reading that the alliance was a boon in that it would give them access to potentially millions of victims who can be infected with their ransomware through TeamPCP’s RAT.
The flaw in Vect 2.0 may put a dent in plans to collect ransoms on any of those potential victims, however. Combined with the other issues found in its latest ransomware variant, Check Point’s findings “paint a picture of a group with operational ambition, reflected in the BreachForums open-affiliate model and the TeamPCP supply-chain campaign, but with cryptographic and software engineering maturity that does not match the scale of the operation they are attempting to run,” the report stated.
Because paying a ransom does not work with Vect 2.0, organizations must focus on prevention and recovery preparation to mitigate any damage that can occur if they’re on the receiving end of an attack by the RaaS group.
“Prevention is the better path — this goes from training employees in social engineering awareness to vulnerability management, comprehensive security monitoring, e.g. through EDRs, and proven incident response plans,” Smadja says. Moreover, defenders should maintain offline, immutable backups stored completely separate from the organization’s primary network and test restoration procedures regularly, according to Secure.com. The company also recommended that those using ESXi isolate management interfaces from the rest of the network, limit which accounts can access virtualization infrastructure, and apply strict multi-factor authentication on all administrative logins.
For Windows systems, security teams should monitor for PowerShell-based disabling of Windows Defender, event log clearing activity, and suspicious safe-mode boot configuration changes, all of which are key behavioral indicators of Vect ransomware and will alert them early to a problem.
Finally, all organizations should validate the integrity of third-party software dependencies. According to Secure.com, “Given Vect’s partnership with TeamPCP, supply chain compromise is a confirmed entry vector.”
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
