"VECT is being marketed as ransomware, but for any file over 131KB – which is most of what enterprises actually care about – it functions as a data destruction tool," Eli Smadja, group manager at Check Point Research, said. That blunt assessment captures the core risk: the malware that calls itself VECT 2.0 irreversibly destroys large files on Windows, Linux, and ESXi hosts, leaving victims with no technical route to recovery even if they pay a ransom.
How VECT 2.0 irreversibly destroys files
Check Point’s analysis shows the threat is not merely poor encryption but outright data loss. The C++ lockers used by VECT 2.0 split any file larger than 131,072 bytes into four chunks and encrypt each chunk with ChaCha20-IETF using a freshly generated 12‑byte nonce per chunk. Only the final nonce is appended to the encrypted file on disk; the first three nonces are generated, used, and silently discarded. Because ChaCha20-IETF requires both the 32‑byte key and the exact matching 12‑byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone — including the ransomware operator. Check Point emphasizes that the decryption material is destroyed at runtime, so "paying is not a recovery strategy," as Smadja put it.
Claims, reality, and the RaaS business model
VECT 2.0 presents itself as a ransomware-as-a-service (RaaS) operation. Its dark website displays the message "Exfiltration / Encryption / Extortion," and the group launched an affiliate program in December 2025. A Data Security Council of India (DSCI) analysis published last month reported a $250 entry fee payable in Monero (XMR) for new affiliates, with the fee waived for applicants from Commonwealth of Independent States (CIS) countries. The group has also established partnerships with the BreachForums cybercrime marketplace and the TeamPCP hacking group, which the operators appear to be using to lower barriers to entry and to weaponize previously stolen data.
Platform variants and operational details: Windows, ESXi, Linux
The Windows variant combines broad target coverage with anti-analysis measures. It attempts to encrypt files on local, removable, and network storage, includes an anti-analysis suite aimed at 44 specific security and debugging tools, offers multiple remote-execution script templates for lateral spread, and implements a safe‑mode persistence option. When the locker is run with "--force-safemode," it configures the next boot into Windows Safe Mode and writes its executable path into the Windows Registry so it will run automatically on the subsequent Safe Mode boot. Notably, the Windows sample implements environment-detection code that Check Point found is never invoked, meaning analysts can run the artifact without triggering evasive behavior.
The ESXi variant performs geofencing and anti‑debugging checks before starting encryption and attempts lateral movement via SSH. The Linux variant shares the ESXi codebase and implements a subset of its functionality. The geofencing logic causes the malware to exit without encrypting files if it detects it is running in a CIS country; Check Point highlighted that the code even lists Ukraine among the exclusions, an unusual inclusion compared with other recent RaaS families.
Technical assessment and operational maturity
Check Point’s verdict is twofold: VECT 2.0 shows an ambitious scope — multi‑platform lockers, an affiliate program, a polished operator panel, and partnerships to monetize stolen credentials — but the technical implementation contains major flaws. In addition to the nonce-handling bug, Check Point reported that VECT’s claimed use of ChaCha20‑Poly1305 AEAD is false; instead the malware uses an unauthenticated variant with no integrity protection. The researchers assess the operators as likely novice actors and note the possibility that portions of the codebase were AI generated or reutilized from older code, offering two specific theories to explain the inclusion of Ukraine in the CIS geofence list.
What this means for CISOs, incident responders, and RaaS affiliates
- CISOs and security teams: Check Point and Smadja are explicit: in a VECT incident, "paying is not a recovery strategy." The operational focus must be resilience — offline backups, tested recovery procedures, and rapid containment — because decryption keys do not exist for large files.
- Incident responders and enterprise IT: Windows samples maintain persistence options that are designed to run in Safe Mode and include lateral-spread scripts; responders should assume encrypted large files cannot be rebuilt from attacker-supplied tools and plan restores from clean backups.
- RaaS affiliates and cybercrime marketplaces: Operators are recruiting through a $250 Monero-paid program (waived for CIS applicants) and partnering with BreachForums and TeamPCP; Dataminr warned earlier this month that this convergence could create an "industrialized ransomware deployment" model by combining supply-chain credential theft with a maturing RaaS operation.
VECT 2.0 is, in public presentation, a full-service extortion operation; in technical reality it behaves like a wiper for the files that matter most to enterprises. Check Point’s analysis leaves little ambiguity: the harm is irreversible for large files, the business model is expanding through partnerships and paid affiliates, and the defenders’ only reliable recovery path is pre-existing resilience — not negotiation. The original analysis is available at The Hacker News: https://thehackernews.com/2026/04/vect-20-ransomware-irreversibly.html
