VECT 2.0 Ransomware Flaw Turns It Into a Data Wiper, Destroying Files Permanently Cybersecurity researchers have identified a critical flaw in VECT 2.0, a Ransomware-as-a-Service (RaaS) operation, that renders victim data permanently unrecoverable even after paying the ransom. Unlike traditional ransomware, which encrypts files for extortion, VECT 2.0 destroys files larger than 128 KB due to a cryptographic error, effectively functioning as a data wiper. ### The Fatal Flaw: How VECT 2.0 Fails at Encryption VECT 2.0 uses the ChaCha20-IETF cipher across its Windows, Linux, and VMware ESXi variants. However, a coding mistake causes the malware to overwrite encryption nonces in memory. For files exceeding 131,072 bytes (128 KB), the ransomware splits data into four chunks, each requiring a unique nonce. Due to the flaw, only the final nonce is retained, making decryption of the first three chunks mathematically impossible even for the attackers. Enterprise databases, virtual machine disks, and standard office documents most of which exceed 128 KB are irreversibly corrupted. Researchers initially misidentified the cipher as ChaCha20-Poly1305 AEAD, but confirmed the malware lacks integrity protection or authentication tags, further complicating recovery efforts. ### Multi-Platform Threat: Enterprise-Wide Destruction Despite amateur coding errors such as an aggressive thread scheduler that slows encryption and self-canceling obfuscation VECT 2.0 poses a severe risk to enterprise networks. The malware targets multiple platforms in coordinated attacks: - Windows: Manipulates Safe Mode boot settings to disable security tools, then spreads laterally via SMB and WinRM. - Linux: Wipes system logs and targets enterprise file servers. - VMware ESXi: Disables hypervisor monitoring services and destroys virtual machine disk files. ### Threat Actor Alliances Expand Attack Surface VECT 2.0 has formed strategic partnerships with major cybercrime groups, amplifying its reach: - BreachForums: All forum members are now automatic affiliates, granting VECT a vast distribution network. - TeamPCP: A threat actor known for supply chain attacks on developer tools like Trivy and Checkmarx KICS, providing VECT with a direct pipeline to exploit downstream consumers. With no possibility of data recovery, organizations face total data loss if infected. The flaw underscores the growing trend of ransomware evolving into destructive wipers, shifting the focus from extortion to outright sabotage.