Vect Ransomware Turns Out to Be a Wiper, Destroying Victims’ Data Instead of Encrypting It A recent wave of supply-chain attacks targeting tools like Trivy and LiteLLM has left victims with little hope of data recovery, even after paying ransoms. According to Check Point Research, the Vect ransomware group partnering with TeamPCP isn’t actually encrypting files but instead permanently wiping any data larger than 128KB. Since January, Vect’s leak site has listed 25 organizations, with four added since March, when extortion efforts tied to the supply-chain attacks began. However, it remains unclear how many of these victims are linked to the Trivy and LiteLLM compromises. On April 15, Vect claimed two major targets Guesty (700GB) and S&P Global (250GB) allegedly tied to earlier TeamPCP breaches, though these claims lack independent verification. Neither company responded to inquiries. Vect and TeamPCP, which previously compromised security and developer tools like Checkmarx and Telnyx, announced their partnership on BreachForums, boasting of plans for larger supply-chain attacks and follow-on ransomware campaigns. Vect also integrated its ransomware-as-a-service (RaaS) with BreachForums, allowing registered users to access its malware, negotiation platform, and leak site. Check Point researchers gained access to Vect’s ransomware builder and discovered critical flaws. Instead of encrypting files, Vect 2.0 destroys any file exceeding 128KB by discarding essential decryption keys. The malware, available for Windows, Linux, and ESXi, uses libsodium-based encryption but fails to properly handle decryption nonces, making recovery impossible even for the attackers. Additional bugs and poor implementation further undermine its effectiveness, with researchers describing the code as "not technically sophisticated" and "amateur execution." The discovery confirms that victims of these attacks whether from supply-chain compromises or direct infections face irreversible data loss, regardless of ransom payments.