VECT 2.0 Ransomware Unmasked as a Cross-Platform Data Wiper with Unrecoverable Encryption Flaws Researchers at Check Point Research (CPR) have exposed VECT 2.0 a ransomware strain marketed as a recoverable encryption tool as a cross-platform data wiper that permanently destroys enterprise files. Unlike traditional ransomware, VECT 2.0’s flawed encryption routine renders most critical data mathematically unrecoverable, even for the attackers, making it a destructive threat rather than a viable extortion tool. ### How VECT 2.0 Operates VECT 2.0 targets Windows, Linux, and VMware ESXi systems, processing files larger than 128 KB in four separate chunks using ChaCha20-IETF encryption. However, the malware discards the first three encryption nonces required for decryption without storing them, leaving 75% of each large file irretrievably corrupted. Only the last nonce is appended to the file, making recovery impossible for files exceeding the threshold. This design flaw affects nearly all enterprise file types, including: - Virtual machine disk images - Databases - Documents and archives - Backups ### Technical Flaws and Misleading Marketing Despite VECT’s claims of using ChaCha20-Poly1305 AEAD encryption, CPR found it relies on raw ChaCha20-IETF without authentication tags, meaning there is no integrity protection only ciphertext and a single nonce. The malware also includes unused "encryption speed" flags (e.g., `--fast`, `--medium`, `--secure`), which have no functional impact, exposing a gap between its marketing and actual implementation. Additional issues include: - Over-threaded encryption, degrading performance despite aggressive CPU-based scaling. - Unreachable anti-analysis code and ineffective string obfuscation. - Hardcoded thresholds (128 KB file size, 32 KB chunks) that remain unchanged regardless of operator settings. ### RaaS Model and Affiliate Expansion VECT operates as a Ransomware-as-a-Service (RaaS) program, first advertised on a Russian-language forum in late 2025 and linked to at least two victims by early 2026. The group has since partnered with BreachForums, offering all registered users affiliate access to its ransomware panel, negotiation platform, and leak site. It has also collaborated with TeamPCP, a supply-chain threat actor. Despite its professional branding, VECT’s low victim count and technical shortcomings suggest weak engineering behind the operation. ### Impact: Permanent Data Loss Security experts warn that paying the ransom will not restore corrupted files, as the encryption design ensures permanent destruction of most enterprise data. Organizations affected by VECT 2.0 should treat the incident as a data-wiping attack rather than a recoverable ransomware case. The flaw has existed since the malware’s earliest observed deployments and remains unpatched.