"Full recovery is impossible for anyone, including the attacker," Check Point Research (CPR) concluded after analyzing the Vect malware used in a string of recent supply‑chain compromises.
Vect's "ransomware" behaves like a wiper
What Vect advertises as ransomware is, according to CPR, effectively a wiper. The group's Vect 2.0 implementation permanently destroys any file larger than 131,072 bytes (128 KB). At that threshold, CPR says, "this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included."
CPR reported the destructive behavior stems from a design and implementation flaw in the malware's encryption logic: for files larger than 128 KB the encryption code discards three of four decryption nonces. That nonce‑handling error leaves large files unrecoverable. CPR also reported finding "multiple" other bugs and design failures across the Windows, Linux and ESXi variants — all of which share the same libsodium‑based encryption design, the same file‑size threshold, and the same four‑chunk logic.
How researchers gained access and reached their findings
Researchers created a BreachForums account, obtained access to Vect's panel and ransomware builder, and ran a technical analysis on the publicly available Vect packages. CPR described the authors as "not technically sophisticated" with "amateur execution," and said the critical flaw is present across all publicly available VECT versions the team inspected.
TeamPCP, Vect and the supply‑chain wave
Vect is operating as a partner to TeamPCP, the group behind a sequence of supply‑chain compromises that affected Trivy, LiteLLM, Checkmarx and Telnyx. The two crews announced their partnership on BreachForums and boasted that they would escalate operations. CPR quoted the duo’s statement: "we will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns."
Vect additionally said it had partnered with the data‑leak site itself, offering registered BreachForums users access to Vect's ransomware, a negotiation platform and a website for posting stolen data.
Leak site claims and unverified victim reports
Vect's leak site lists 25 organizations since January and four since March, the period when extortion related to the Trivy and LiteLLM incidents began. CPR and The Register note it is unclear how many — if any — of the listed organizations are tied to the Trivy and LiteLLM compromises.
On April 15 the group publicly claimed two larger victims, Guesty (700 GB) and S&P Global (250 GB), tying those claims to earlier TeamPCP compromises, Eli Smadja, group manager at Check Point Research, told The Register. CPR stressed those specific claims cannot be independently verified, and that "there is no confirmed visibility into how many of these cases resulted in successful ransom payments versus data being leaked without payment." Neither Guesty nor S&P Global responded to inquiries made by The Register.
What this means for technologists, affected enterprises, and adversaries
- Technologists and security teams: CPR's analysis implies that standard assumptions about recoverability after a successful ransom payment may not hold when the deployed malware is a wiper in disguise. The presence of the 128 KB threshold means virtual machine disk files, databases and backups are at direct risk of irreversible damage.
- Affected enterprises and procurement leaders: Organizations that detect a Vect or TeamPCP intrusion face a stark choice — the group’s own tooling may have already destroyed large, meaningful assets, and CPR says "full recovery is impossible for anyone, including the attacker." Paying a ransom does not guarantee restoration if the underlying files have been wiped.
- Adversaries and crime crews: The public partnering model Vect advertised on BreachForums — offering ransomware builders and negotiation platforms to forum users — shows a move toward commoditized, distributed extortion. CPR's technical findings also show tool quality can undercut an attacker’s own objectives when cryptographic logic is implemented incorrectly.
The upshot is blunt: victims who paid hoping to regain systems and data may have paid for nothing more than an apology. CPR's assessment that the flaw exists across the Vect variants raises a final, practical question that remains unanswered in public reporting: how many extorted organizations paid, and of those, how many received usable, recoverable data? The Register's reporting and CPR's technical analysis document the destructive design and the boasting on BreachForums — but they leave the ledger of payments and recovery outcomes unsettled.
