Threat hunters warn that the cybercriminal operation known as VECT 2.0 behaves more like a wiper than ransomware due to a critical flaw in its encryption implementation across Windows, Linux, and ESXi variants that renders recovery impossible—even for the threat actors themselves.
Moreover, the fact that VECT 2.0’s locker permanently destroys large files rather than encrypts them means even victims who choose to pay the ransom cannot recover their data, as the malware discards the decryption keys during the encryption process.
“VECT is being marketed as ransomware, but for any file over 131KB – which is most of what enterprises actually care about – it functions as a data destruction tool,” Eli Smadja, group manager at Check Point Research, said in a statement shared with The Hacker News.
“CISOs need to understand that in a VECT incident, paying is not a recovery strategy. There is no decrypter that can be handed over, not because the attackers are unwilling, but because the information required to build one was destroyed the moment their software ran. The focus has to be on resilience: offline backups, tested recovery procedures, and rapid containment – not negotiation.”
RaaS Model and Affiliate Expansion
Meanwhile, VECT (now rebranded as VECT 2.0) operates as a ransomware-as-a-service (RaaS) scheme that first launched its affiliate program in December 2025. On its dark website, the group displays the message “Exfiltration / Encryption / Extortion,” highlighting its triple-threat business model.
According to an analysis published by the Data Security Council of India (DSCI) last month, a $250 entry fee, payable in Monero (XMR), is required for new affiliates. However, the group waives the fee for applicants from the Commonwealth of Independent States (CIS) countries, indicating a clear attempt to recruit individuals from that region.
In recent weeks, the group has established a formal partnership with the BreachForums cybercrime marketplace and the TeamPCP hacking group. As a result, this move lowers the barrier to entry for ransomware operators and incentivizes affiliates to launch attacks by weaponizing previously stolen data.
“The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass dark web forum mobilization represents an unprecedented model of industrialized ransomware deployment,” Dataminr noted earlier this month.
However, while the collaboration may signal future growth, its data leak site currently lists only two victims, both reportedly compromised via TeamPCP supply chain attacks. Additionally, contrary to the group’s initial claims of using ChaCha20-Poly1305 AEAD for encryption, Check Point’s analysis found that it relies on a weaker, unauthenticated cipher with no integrity protection.
Critical Encryption Design Flaw
More importantly, the C++-based lockers across all three platforms contain a fundamental design flaw that causes any file larger than 131,072 bytes to be permanently and irrecoverably destroyed instead of encrypted.
“The malware encrypts four independent chunks of each ‘large file’ using four freshly generated random 12-byte nonces, but appends only the final nonce to the specific encrypted file on disk,” Check Point explained. “The first three nonces, each required to decrypt its respective chunk, are generated, used, and silently discarded. They are never stored on disk, in the registry, or transmitted to the operator.”
“Because ChaCha20-IETF requires both the 32-byte key and the exact matching 12-byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone, including the ransomware operator, who cannot provide a working decryption tool even after ransom payment. Since the vast majority of operationally critical files exceed this ‘large-size’ threshold, VECT 2.0 functions in practice as a data wiper with a ransomware facade.”
Advanced Features in the Windows Variant
At the same time, the Windows version of the ransomware encrypts files across local, removable, and network-accessible storage, and includes a comprehensive anti-analysis suite targeting 44 specific security and debugging tools. In addition, it features a safe-mode persistence mechanism and multiple remote-execution script templates for lateral movement.
When “–force-safemode” is active, the locker configures the next boot into Windows Safe Mode and writes its executable path into the Windows Registry, ensuring it runs automatically during the subsequent Safe Mode boot, where the system operates in a limited state.
Furthermore, although the Windows variant implements environment detection mechanisms to evade detection, it never invokes them. Consequently, security teams can analyze the artifacts without triggering evasive responses.
On the other hand, the ESXi variant enforces Geofencing and Anti-debugging checks before initiating Encryption and also attempts lateral movement via SSH. Similarly, the Linux version shares the same codebase as the ESXi variant and implements a subset of its functionality.
Unusual Geofencing Behavior
Notably, the Geofencing step verifies whether the system runs in a CIS country; if so, it exits without Encrypting files. According to Check Point, this behavior stands out as unusual because most RaaS programs removed Ukraine from the CIS list following Russia’s invasion in 2022.
“During recent years these checks have been largely removed from ransomware,” it added. “VECT including such checks and even adding Ukraine to the list of exclusions is rather uncommon. Check Point Research has two theories regarding this observation: either this code was AI generated, where LLMs were trained with Ukraine being part of CIS or VECT used an old code base for their ransomware.”
Finally, analysts assess that the operators behind VECT are likely novice actors rather than Seasoned Cybercriminals, with some portions of the code possibly Generated using artificial intelligence (AI) tools.
“VECT 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel,” Check Point concluded. “In practice, the technical implementation falls significantly short of its presentation.”
Source: TheHackerNews
Read more at Impreza News
