VECT 2.0 Ransomware: A Destructive Threat Across Multiple Platforms
A newly identified ransomware variant, VECT 2.0, has emerged as a significant concern within the cybersecurity community due to its destructive capabilities. Unlike conventional ransomware that encrypts files and demands payment for decryption keys, VECT 2.0 irreversibly destroys files larger than 128 KB, rendering data recovery impossible even if the ransom is paid.
Origins and Evolution
VECT Ransomware first surfaced in December 2025 on a Russian-language cybercrime forum, operating as a Ransomware-as-a-Service (RaaS) platform. The group claimed its initial victims in January 2026 and released version 2.0 in February 2026, expanding its reach to Windows, Linux, and VMware ESXi systems. The malware gained further notoriety in March 2026 when VECT announced a partnership with TeamPCP, a threat actor known for supply-chain attacks that injected malware into widely-used packages such as Trivy, Checkmarx KICS, LiteLLM, and Telnyx, affecting numerous downstream users.
Technical Analysis
Check Point Research analysts conducted an in-depth examination of all three VECT 2.0 variants after accessing the builder panel through a BreachForums account. Their investigation revealed that VECT had also partnered with BreachForums, allowing every registered forum member free access to deploy the ransomware as an affiliate. This open-affiliate model eliminates the usual vetting process, significantly lowering the barrier for less experienced attackers to participate.
The ransomware is written in C++ and targets all three platforms through statically compiled executables that share a common codebase. Each variant utilizes the ChaCha20-IETF (RFC 8439) cipher via the libsodium cryptographic library and renames encrypted files with the .vect extension, dropping a ransom note named !!!READ_ME!!!.txt on each compromised system. Despite its polished builder panel, the technical execution falls short of a professionally developed ransomware tool.
Critical Flaw: Data Destruction
The most alarming aspect of VECT 2.0 is a critical coding flaw that effectively turns it into a data wiper. Any file exceeding 131,072 bytes (128 KB) is not properly encrypted but instead rendered permanently unrecoverable, targeting the very assets organizations depend on to keep operations running.
The Nonce-Handling Flaw That Destroys Large Files
At the heart of the problem is a fundamental error in how VECT 2.0 handles cryptographic nonces during file encryption. When the malware processes a large file, it divides it into four chunks and encrypts each one using a freshly generated, random 12-byte nonce. All four encryption calls write their nonces into the same shared memory buffer, meaning each new nonce overwrites the previous one. By the time encryption finishes, only the nonce from the fourth and final chunk survives and gets written to the encrypted file on disk.
This flawed nonce-handling mechanism results in the permanent loss of data for files larger than 128 KB, as the necessary information to decrypt the first three chunks is irretrievably lost. Consequently, even if victims pay the ransom, recovery of these files is impossible.
Implications for Organizations
The emergence of VECT 2.0 underscores the evolving nature of ransomware threats and the increasing sophistication of cybercriminal operations. Organizations must recognize that paying a ransom does not guarantee data recovery, especially when dealing with malware that contains such critical flaws.
Recommendations for Mitigation
To protect against threats like VECT 2.0, organizations should implement the following measures:
1. Regular Backups: Maintain up-to-date backups of critical data and store them offline to prevent ransomware from accessing them.
2. Patch Management: Keep all systems and software updated with the latest security patches to close vulnerabilities that ransomware could exploit.
3. Employee Training: Educate staff on recognizing phishing attempts and other common attack vectors used to deliver ransomware.
4. Network Segmentation: Divide networks into segments to limit the spread of ransomware if an infection occurs.
5. Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and coordinated reaction to ransomware attacks.
Conclusion
VECT 2.0 represents a significant escalation in ransomware threats, combining cross-platform capabilities with a destructive flaw that leads to permanent data loss. Organizations must adopt a proactive and comprehensive approach to cybersecurity to defend against such evolving threats.
