A critical coding flaw in VECT 2.0 permanently destroys any file larger than 128 KB instead of encrypting it, making recovery impossible even if victims pay the ransom.
A newly documented ransomware strain called VECT 2.0 has drawn serious attention for a deeply damaging design flaw — rather than encrypting files and demanding payment, it permanently destroys any file larger than 128 KB. Check Point Research analysts identified all three variants (Windows, Linux, and VMware ESXi) after gaining access to the builder panel through a BreachForums account.
VECT ransomware first appeared in December 2025 on a Russian-language cybercrime forum as a Ransomware-as-a-Service program, claiming its first two victims in January 2026. Version 2.0 expanded across platforms in February 2026, and the group gained more visibility in March when it announced a partnership with TeamPCP, the threat actor behind supply-chain attacks on Trivy, Checkmarx KICS, LiteLLM, and Telnyx. VECT also partnered with BreachForums itself, giving every registered forum member free access to deploy the ransomware as an affiliate, removing the usual vetting process.
The critical flaw lies in how VECT 2.0 handles cryptographic nonces during encryption. The malware divides large files into four chunks and encrypts each with a freshly generated random 12-byte nonce. However, all four encryption calls write their nonces into the same shared memory buffer, so each new nonce overwrites the previous one. Only the nonce from the fourth chunk survives and gets written to the file. Since ChaCha20-IETF decryption requires the exact matching nonce for each chunk, the first three quarters of every large file are permanently unrecoverable. Even paying the ransom provides no help because the operator cannot provide a working decryptor.
At just 128 KB, this threshold captures virtually every meaningful file type — VM disk images, databases, backups, spreadsheets, and email archives. Organizations should maintain offline air-gapped backups, monitor for bulk process terminations and mass file renaming to .vect extension, and validate the integrity of third-party software dependencies given VECT’s partnership with TeamPCP.
Source: Cyber Security News — New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Lin
