“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point says.
How a nonce-handling bug turns VECT 2.0 into a data wiper
Researchers who examined VECT 2.0 found a programming flaw in the ransomware’s handling of encryption nonces that causes permanent data loss for larger files. VECT breaks files into chunks for encryption, but each chunk’s encryption uses the same memory buffer for the nonce output. Because VECT overwrites that buffer with every new chunk, once all chunks are processed only the last nonce generated remains in memory and only that single nonce is written to disk.
The practical effect, as the researchers report, is that only the final quarter of a file is recoverable — “the only portion of the file that is recoverable is the last 25%.” The nonces for the earlier chunks are lost and, crucially, those nonces are not transmitted to the attackers. That means even if victims paid extortion demands, the operators would not have the missing nonces required to decrypt the first 75% of affected files.
Technical specifics: chunked encryption, single buffer, and lost keys
The flaw rests on three concrete implementation choices reported by the researchers: (1) VECT divides large files into multiple chunks; (2) every chunk’s encryption writes its nonce to the same memory buffer; and (3) only the final nonce remaining in memory is persisted to disk. Those steps together convert what should be recoverable encrypted data into effectively unrecoverable data for any chunk other than the final one.
The researchers emphasize the threshold that triggers this behavior: files larger than 128 KB are treated as “large” and handled with chunked encryption. Because that size is smaller than many common attachments and far smaller than typical enterprise assets, the bug affects a wide range of file types.
Distribution on BreachForums and an alliance with TeamPCP
VECT 2.0 has been promoted on one of the latest iterations of BreachForums. The operators invited registered users to become affiliates and distributed access keys via private messages to interested parties. In a separate announcement, VECT operators reported a partnership with TeamPCP, described in the source material as “the threat group responsible for the recent supply-chain attacks impacting Trivy, LiteLLM, and Telnyx, as well as an attack against the European Commission.”
In that announcement the operators stated their goal: to exploit victims of those supply-chain compromises by deploying ransomware payloads in affected environments and to conduct larger supply-chain attacks against other organizations. The alliance and the forum-based affiliate model together outline both a distribution channel and a stated operational intent.
Variants affected: Windows, Linux, and ESXi behave the same
The researchers found the same nonce-handling flaw across all known VECT 2.0 variants, including Windows, Linux, and ESXi builds. That cross-platform presence means the data-wiping behavior applies not just to endpoints but to hypervisor images and server-class systems where ESXi and large virtual disks are common.
Because most valuable enterprise files — VM disks, database files, and backups — typically exceed the 128 KB threshold, the researchers and Check Point warn that VECT 2.0’s practical effect is catastrophic in many environments.
What this means for technologists, enterprise defenders, and procurement leaders
- Technologists and security teams: The bug converts a ransomware incident into an irreversible data-loss event for large files because the necessary nonces are neither retained nor transmitted. Teams facing VECT 2.0 infections cannot rely on attacker-supplied decryption keys to recover lost chunks.
- Enterprise defenders and incident responders: Assets that routinely exceed 128 KB — VM disks, databases, backups, mailboxes, and routine office documents — are all at risk of partial destruction with only the final 25% salvageable. Responders should treat VECT 2.0 compromises as high-severity data-loss incidents, given the cross-platform nature of the flaw.
- Procurement and risk teams: The operators’ stated partnership with TeamPCP, a group linked to supply-chain compromises of Trivy, LiteLLM, Telnyx, and an attack on the European Commission, highlights a distribution vector that combines supply-chain access with a ransomware affiliate model on BreachForums. Procurement decisions for third-party software and components should account for the possibility that supply-chain access could be used to deploy destructive payloads like VECT.
Whether the corruption is an accidental coding error or a deliberate design choice by the authors, the result is unambiguous: for files above the 128 KB threshold VECT 2.0 behaves as a data wiper rather than traditional recoverable ransomware. That reality changes the calculus for victims, responders, and anyone who relies on backups and virtualized infrastructure — because in the cases documented by researchers, the missing nonces are gone for good.
