VECT 2.0 Ransomware: A Destructive Threat to Critical Data
Cybersecurity experts are raising alarms about VECT 2.0, a ransomware variant that functions more like a data wiper due to a critical flaw in its encryption process. This flaw affects Windows, Linux, and ESXi systems, leading to irreversible data loss for files exceeding 131KB.
Unlike typical ransomware, VECT 2.0’s encryption method permanently destroys large files. Even if victims pay the ransom, data recovery is impossible because the malware discards essential decryption keys during the encryption process. Eli Smadja, group manager at Check Point Research, emphasized, VECT is being marketed as ransomware, but for any file over 131KB – which is most of what enterprises actually care about – it functions as a data destruction tool.
VECT 2.0 operates as a ransomware-as-a-service (RaaS) platform, launching its affiliate program in December 2025. The group promotes a triple-threat model of exfiltration, encryption, and extortion. New affiliates are required to pay a $250 entry fee in Monero (XMR), though this fee is waived for applicants from Commonwealth of Independent States (CIS) countries, suggesting targeted recruitment efforts in that region.
Recently, VECT 2.0 partnered with the BreachForums cybercrime marketplace and the TeamPCP hacking group. This collaboration aims to streamline ransomware deployment by leveraging previously stolen data. Dataminr noted, The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass dark web forum mobilization represents an unprecedented model of industrialized ransomware deployment.
Despite these developments, VECT 2.0’s data leak site currently lists only two victims, both compromised via TeamPCP supply chain attacks. Contrary to the group’s claims of using ChaCha20-Poly1305 AEAD for encryption, analysis reveals the use of a weaker, unauthenticated cipher lacking integrity protection.
A significant design flaw in VECT 2.0’s C++-based lockers results in the permanent destruction of files larger than 131,072 bytes. The malware encrypts four independent chunks of each large file using freshly generated random 12-byte nonces but appends only the final nonce to the encrypted file. The first three nonces, necessary for decryption, are generated, used, and discarded without storage or transmission. Consequently, the first three-quarters of every large file are unrecoverable, even by the ransomware operators.
The Windows variant of VECT 2.0 encrypts files across local, removable, and network-accessible storage. It includes an anti-analysis suite targeting 44 security and debugging tools, a safe-mode persistence mechanism, and remote-execution scripts for lateral movement. When the –force-safemode option is active, the malware configures the system to boot into Safe Mode and ensures its execution during this mode.
The ESXi variant implements geofencing and anti-debugging checks before initiating encryption and attempts lateral movement using SSH. The Linux version shares the same codebase as the ESXi variant but with a subset of its functionality.
Notably, the geofencing step checks if the malware is running in a CIS country and exits without encrypting files if so. This behavior is unusual, as most RaaS programs removed Ukraine from the CIS exclusion list following geopolitical events in early 2022. Check Point Research suggests that VECT 2.0’s operators may be novice actors or that parts of the code could have been generated using artificial intelligence tools.
In conclusion, VECT 2.0 presents a significant threat due to its destructive nature and flawed encryption implementation. Organizations are advised to focus on resilience strategies, including offline backups, tested recovery procedures, and rapid containment, rather than relying on ransom payments for data recovery.
