VECT Ransomware's Fatal Flaw Turns Encryption into Permanent Data Destruction, Researchers Warn
Breaking: VECT Ransomware Effectively a Wiper for Large Files
Check Point Research (CPR) has discovered that the VECT ransomware permanently destroys large files rather than encrypting them. A critical flaw in the encryption implementation discards three of four decryption nonces for every file above 131,072 bytes (128 KB). This makes full recovery impossible for anyone, including the attacker.
“Full recovery is impossible—this is not a ransomware; it’s a wiper with a ransom note,” a CPR analyst told reporters. The threshold of only 128 KB means virtually any file containing meaningful data—VM disks, databases, documents, and backups—is rendered unrecoverable. CPR confirmed the flaw exists across all publicly available VECT versions.
The Critical Encryption Flaw
The cipher is misidentified in public reporting. VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in several threat intelligence reports and VECT’s initial advertisement. There is no Poly1305 MAC and no integrity protection.
Advertised encryption speed modes—--fast, --medium, and --secure—are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection.
Three Platforms, One Flawed Engine
Windows, Linux, and ESXi variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout. “This confirms a single codebase ported across platforms,” CPR notes.
Beyond the nonce flaw, CPR identified multiple additional bugs and design failures across all variants: self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actively degrades the encryption performance it meant to improve.
Background: VECT’s Rapid Rise and Partnerships
VECT ransomware first appeared in December 2025 as a Ransomware-as-a-Service (RaaS) on a Russian-language cybercrime forum. After claiming two victims in January 2026, the group gained public attention through a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.
Shortly after those attacks made headlines, VECT posted on BreachForums announcing their partnership with TeamPCP. The goal: to exploit the companies affected by those supply-chain attacks. Additionally, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate, gaining access to VECT’s ransomware, negotiation platform, and leak site.
What This Means for Victims and the Ransomware Ecosystem
Organizations hit by VECT should not expect to recover files—even if they pay the ransom. The encryption flaw ensures permanent destruction of large files, meaning decryption is impossible. “This effectively eliminates any incentive to pay, though victims may not know this until after the attack,” the analyst added.
The discovery underscores ongoing flaws in ransomware development. While VECT marketed itself as a capable RaaS, its technical failures mean it functions as a destructive wiper. Security teams should prioritize backups and air-gapped storage as the only reliable defense. The attack surface now includes enterprises trusting software from supply chains—VECT capitalizes on that trust to deliver its destructive payload.
Related Articles
- NASA’s Psyche Mission: Mars Flyby to Boost Journey Toward a Metal Asteroid
- Unlocking Hidden Causes: A Smarter AI Approach to Inverse Problems in Science
- How to Distinguish AI That Truly Understands from AI That Just Memorizes
- When Efficiency Erodes Connection: The Hidden Cost of AI in Team Dynamics
- Artemis II Achievements Pave the Way for Lunar Return: NASA's Next Giant Leap
- 5 Must-See Sky Events in May 2026: A NASA-Inspired Stargazing Guide
- How Chip Binning Turns Flawed Silicon into Affordable Devices – and Helps the Environment
- Astronaut with Unmatched Space Industry Resume Set for July Launch to ISS