A new ransomware variant, VECT 2.0, has emerged as a significant threat in the cybersecurity landscape due to a severe vulnerability in its encryption process. This malware is distinct in its operation, opting not to hold data hostage for ransom but instead destroying files larger than 128 KB, with no prospect of recovery even if the ransom is paid.
Origins and Expansion of VECT Ransomware
First appearing in December 2025, VECT Ransomware was introduced on a Russian cybercrime forum as a Ransomware-as-a-Service (RaaS) model. It successfully targeted its initial victims by January 2026, and by February of the same year, the malware had evolved into VECT 2.0, broadening its scope to impact Windows, Linux, and VMware ESXi systems.
The ransomware gained notoriety in March 2026 through a collaboration with TeamPCP, a group known for supply-chain attacks. This partnership allowed the insertion of malicious code into popular software packages like Trivy and Checkmarx KICS, thereby amplifying the ransomware’s reach.
Technical Insights and Distribution
Check Point Research conducted a thorough analysis of VECT 2.0 after accessing its builder panel via a BreachForums account. Their findings revealed a partnership with BreachForums, enabling open affiliate access that lowered entry barriers for potential cybercriminals. This model allows forum members to distribute the ransomware with minimal experience.
VECT 2.0 is developed in C++ and deploys across multiple platforms using shared codebases. The malware employs the ChaCha20-IETF cipher for encryption and appends a .vect extension to affected files, alongside a ransom note labeled !!!READ_ME!!!.txt. Despite its user-friendly builder panel, the ransomware’s execution lacks professional refinement.
The Critical Flaw: Data Wiping Instead of Encryption
The most concerning issue with VECT 2.0 lies in its cryptographic nonce handling. When processing files exceeding 131,072 bytes, the malware breaks them into four segments, each encrypted with a unique nonce. However, due to a coding error, only the final chunk’s nonce is retained, rendering the rest of the file irretrievable.
This flaw, confirmed by Check Point Research, persists across all platform variants and was present in earlier releases. As a result, critical data types such as virtual machine images and databases are at risk, emphasizing the need for robust backup strategies.
Recommendations for Protection
To safeguard against VECT 2.0, organizations are advised to maintain offline backups isolated from network access. Monitoring for signs of ransomware activity, including bulk process terminations and file renaming to .vect, is crucial for early detection.
Additionally, ensuring the integrity of third-party software and watching for specific behavioral indicators such as disabling of security features can help mitigate potential damage. Given VECT’s association with TeamPCP, a proactive approach to cybersecurity is essential.
Stay updated on cybersecurity threats by following us on Google News, LinkedIn, and X, and set CSN as your preferred source on Google.
