VECT Ransomware's Fatal Flaw Turns Encryption into Permanent Data Destruction, Researchers Warn

By

Breaking: VECT Ransomware Effectively a Wiper for Large Files

Check Point Research (CPR) has discovered that the VECT ransomware permanently destroys large files rather than encrypting them. A critical flaw in the encryption implementation discards three of four decryption nonces for every file above 131,072 bytes (128 KB). This makes full recovery impossible for anyone, including the attacker.

“Full recovery is impossible—this is not a ransomware; it’s a wiper with a ransom note,” a CPR analyst told reporters. The threshold of only 128 KB means virtually any file containing meaningful data—VM disks, databases, documents, and backups—is rendered unrecoverable. CPR confirmed the flaw exists across all publicly available VECT versions.

The Critical Encryption Flaw

The cipher is misidentified in public reporting. VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in several threat intelligence reports and VECT’s initial advertisement. There is no Poly1305 MAC and no integrity protection.

Advertised encryption speed modes—--fast, --medium, and --secure—are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection.

Three Platforms, One Flawed Engine

Windows, Linux, and ESXi variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout. “This confirms a single codebase ported across platforms,” CPR notes.

Beyond the nonce flaw, CPR identified multiple additional bugs and design failures across all variants: self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actively degrades the encryption performance it meant to improve.

Background: VECT’s Rapid Rise and Partnerships

VECT ransomware first appeared in December 2025 as a Ransomware-as-a-Service (RaaS) on a Russian-language cybercrime forum. After claiming two victims in January 2026, the group gained public attention through a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx, affecting a large base of downstream consumers.

Shortly after those attacks made headlines, VECT posted on BreachForums announcing their partnership with TeamPCP. The goal: to exploit the companies affected by those supply-chain attacks. Additionally, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate, gaining access to VECT’s ransomware, negotiation platform, and leak site.

What This Means for Victims and the Ransomware Ecosystem

Organizations hit by VECT should not expect to recover files—even if they pay the ransom. The encryption flaw ensures permanent destruction of large files, meaning decryption is impossible. “This effectively eliminates any incentive to pay, though victims may not know this until after the attack,” the analyst added.

The discovery underscores ongoing flaws in ransomware development. While VECT marketed itself as a capable RaaS, its technical failures mean it functions as a destructive wiper. Security teams should prioritize backups and air-gapped storage as the only reliable defense. The attack surface now includes enterprises trusting software from supply chains—VECT capitalizes on that trust to deliver its destructive payload.

Related Articles

• Decoding Cephalopod Evolution: A Genomic Journey Through Mass Extinctions
• iPhone 17 Claims Global Smartphone Crown in Q1 2026, Dethroning Pro Max Variant
• Unlocking Long-Horizon Planning: How GRASP Makes World Models Practical for Control
• The Gentlemen RaaS and SystemBC: A Deep Dive into a Growing Ransomware Threat
• See the Moon, Mars, and Saturn Align in a Stunning Pre-Dawn Triangle on May 14
• Consciousness Could Be the Fundamental Fabric of Reality, New Theory Proposes
• VECT Ransomware's Fatal Flaw: Encryption Bug Turns Malware into Unrecoverable Wiper for Enterprise Data
• Explore Space This Summer: NASA STEM Activities and Career Events