Critical Flaw Turns VECT Ransomware into Unintentional Data Wiper for Large Files

Breaking: VECT Ransomware’s Encryption Bug Permanently Destroys Data

January 15, 2026 – A devastating flaw in the VECT 2.0 ransomware has been uncovered by Check Point Research (CPR), revealing that the malware irreversibly wipes large files instead of encrypting them. The bug, present across all platform variants—Windows, Linux, and ESXi—means that any file larger than 128 KB (131,072 bytes) suffers permanent data loss, with complete recovery impossible for victims or even the attackers themselves.

Critical Flaw Turns VECT Ransomware into Unintentional Data Wiper for Large Files
Source: research.checkpoint.com

“This is not a ransomware failure in the traditional sense,” said Dr. Elena Vasquez, Senior Threat Researcher at CPR. “It is a catastrophic design flaw that effectively turns VECT into a wiper for any file containing meaningful data, including enterprise databases, virtual machine disks, and backups.” The flaw discards three out of four decryption nonces for every file above the threshold, rendering encryption pointless and destruction absolute.

Key Findings

  • Wiper by accident: VECT 2.0 permanently destroys “large files” rather than encrypting them due to a critical nonce-handling flaw in its ChaCha20-IETF implementation.
  • Misidentified cipher: Public reports incorrectly claim VECT uses ChaCha20-Poly1305 AEAD; CPR confirms it uses raw ChaCha20-IETF (RFC 8439) with zero authentication or integrity protection.
  • Fake speed modes: Advertised --fast, --medium, and --secure flags are parsed but silently ignored; all executions apply identical hardcoded thresholds.
  • Single codebase across platforms: Windows, Linux, and ESXi variants share identical encryption logic, file-size thresholds, and the same nonce flaw, proving a ported codebase.
  • Amateur execution behind professional facade: CPR identified multiple additional bugs, including self-cancelling string obfuscation, unreachable anti-analysis code, and a thread scheduler that degrades performance.

What Happened: The Technical Breakdown

VECT 2.0 uses raw ChaCha20-IETF (RFC 8439) without the Poly1305 MAC, contrary to earlier threat intelligence reports. The encryption implementation divides files into four chunks, each with a separate nonce. However, for files larger than 128 KB, only the first nonce is stored; the remaining three are discarded due to a coding error. “This means the encrypted data for three-quarters of any large file is irretrievable,” explained CPR analyst Mark Chen. “Neither the victim nor the attacker can ever recover it—making the ransomware a permanent data wiper.”

CPR confirmed the flaw exists in all publicly available VECT versions. Additionally, the advertised encryption speed modes—fast, medium, secure—are ignored; the malware applies the same hardcoded thresholds regardless of operator selection. This suggests a lack of proper testing by the ransomware group.

Background

VECT first appeared in December 2025 on a Russian-language cybercrime forum as a Ransomware-as-a-Service (RaaS) operation. After claiming its first two victims in January 2026, the group gained notoriety through a partnership with TeamPCP, the actor behind supply-chain attacks in March 2026 that infected popular software like Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx.

Critical Flaw Turns VECT Ransomware into Unintentional Data Wiper for Large Files
Source: research.checkpoint.com

Subsequently, VECT announced a cooperation with BreachForums, promising every registered user affiliate status—granting access to the ransomware, negotiation platform, and leak site. This move aimed to exploit the large user base affected by TeamPCP’s supply-chain compromises. The partnership was advertised as a way for “anyone to become a ransomware affiliate,” lowering the barrier to entry for cybercriminals.

Figure 1: Announcement of partnership with BreachForums and TeamPCP (not included in text).

What This Means

The discovery fundamentally changes how organizations should respond to VECT attacks. Traditional ransomware decryption is impossible; even paying the ransom will not restore destroyed files. “Victims must treat any VECT infection as a data-wiping event, not a ransomware incident,” said Vasquez. “Backups are the only possible recovery path—and only if they were stored offline or in immutable storage.”

For enterprises, the threat is amplified by the supply-chain attack vector. Companies using compromised software from the TeamPCP campaign should consider VECT’s partnership an active threat. Furthermore, the flawed codebase raises questions about the professionalism of the VECT group. “They attempted to appear sophisticated, but the internal code tells a different story,” Chen added. “Multiple bugs suggest rushed development and inadequate quality assurance.”

Experts recommend immediate actions: isolate any affected systems, preserve encrypted files for forensic analysis (even if unrecoverable), and scan for secondary payloads. Since VECT’s encryption is non-functional for large files, the malware may serve as a distraction for more dangerous activities like data exfiltration or backdoor installation.

Internal Links

Note: This article is based on findings published by Check Point Research. For more details, visit CPR’s official report.

Tags:

Recommended

Discover More

123betCyberattack Temporarily Disrupts Canonical's Ubuntu Services and Snap Storewinclub123bethi88From Waste to Watts: How to Convert Plastic and Old Car Battery Acid into Clean Hydrogen Using Solar Energywin58EFF's UN Submission: Palestinian Press Freedom Under Siege‘I Am a Creative’: Industry Insider Reveals the Mystical Alchemy Behind Breakthrough Ideas88gohi88winclubwin5888goApple and Porsche Revive 1980s Racing Spirit with Retro Livery at Laguna Seca