All files above 131,072 bytes (128 KB) were permanently destroyed rather than being encrypted, researchers found.
The ChaCha20‑IETF implementation error at the heart of Vect 2.0
Check Point Research’s analysis, published on April 28, identified a critical flaw in Vect 2.0’s encryption implementation that turns the ransomware into a de facto wiper. Rather than using authenticated encryption, the ransomware employs raw ChaCha20‑IETF (RFC 8439) “with no authentication,” discarding three of four decryption nonces — one‑time secret numbers used to keep cryptographic sessions unique. As the researchers put it, “There is no Poly1305 MAC and no integrity protection. This effectively makes Vect a wiper for virtually any file containing meaningful data.”
Files, VMs and backups: what Vect 2.0 actually destroys
The practical consequence is stark and sweeping: every file larger than 131,072 bytes is not reliably recoverable because integrity is not preserved. Check Point noted that this behavior affects enterprise assets including virtual machine disks, databases, documents and backups. The research team emphasized that recovery is rendered impossible “even for the attackers” because the lost integrity prevents decryption even if the operators possess the key material the malware claims to rely on.
BreachForums and TeamPCP: how Vect sought distribution
Vect first appeared on a Russian‑language cybercrime forum in December 2025 and was observed by security researchers in early January 2026. After launching version 2.0 in February 2026, the group publicly promoted partnerships on BreachForums in March and April 2026. Check Point reported that Vect announced a partnership with TeamPCP — the group tied to several supply‑chain attacks — and claimed a separate partnership with BreachForums that would make “every registered forum user” an affiliate with access to the ransomware, a negotiation platform, and a leak site. Check Point noted: “As of April 2026, this partnership is in full effect.”
One codebase, three platforms, multiple implementation failures
The research team obtained the Vect ransomware builder via BreachForums and analyzed three payloads targeting Windows, Linux and VMware ESXi. All variants share an identical encryption design built on libsodium, the same file‑size threshold, the same four‑chunk processing logic and the same nonce‑handling flaw — a pattern Check Point says “confirm[s] a single codebase ported across platforms.”
Beyond the core cryptographic error, Check Point documented multiple additional bugs and design failures throughout the code: a self‑cancelling string obfuscation routine, permanently unreachable anti‑analysis code paths and a thread scheduler that actively degrades the encryption performance it appears intended to improve. The researchers concluded that Vect’s technical execution “falls significantly short of its presentation,” even though the project presents a polished operator panel and multi‑platform ambition.
What this means for technologists, procurement leaders, and adversaries
- Technologists and security teams: The immediate takeaway is that incidents involving Vect 2.0 may result in permanent data loss for large files and virtual disks. Detection and containment will be critical because traditional decryption recovery is not an option where integrity is destroyed.
- Procurement and platform owners: Vect’s advertised cross‑platform lockers and forum‑based affiliate model — including promised “cloud Lockers” for affiliates who pass a quiz or puzzle challenge — underline a distribution strategy aimed at scale. Teams buying or managing cloud and virtualization stacks should prioritize immutable backups and offline recovery plans given the reported destruction of VM disks and backups.
- Adversaries and affiliates: The flaws show that ambitious feature sets and cross‑platform ports can produce catastrophic operational errors. For affiliates relying on the builder obtained via BreachForums, the tool’s current state risks destroying their own extortion value by making data irrecoverable and undermining ransom leverage.
Vect 2.0 is a reminder that the headline threat of multi‑platform ransomware can be undercut by poor cryptographic design. The actors behind Vect boasted of a RaaS ecosystem, supply‑chain partnerships and cloud‑focused lockers, yet their implementation mistakes convert their product into a sledgehammer that breaks the very data it claims to hold for ransom. The Check Point report leaves two clear imperatives: defenders must assume irrecoverable loss when they see this family active against large files and virtual disks, and organizations that rely on backups and virtualization should urgently validate integrity and offline recovery for large artifacts.
Original report: https://www.infosecurity-magazine.com/news/critical-flaw-vect-ransomware-data/
