VECT Ransomware Analysis: The Wiper Disguised as Encryption

Introduction

In the evolving landscape of ransomware, sophistication often correlates with success. However, the VECT ransomware (version 2.0) demonstrates that even a polished marketing front can hide catastrophic technical failures. Check Point Research (CPR) has uncovered a critical flaw in VECT's encryption implementation that renders the tool a wiper for nearly all meaningful files, including enterprise assets like virtual machine disks, databases, and backups. This article delves into the technical details, background, and implications of VECT's design, revealing a ransomware that, by accident, destroys data beyond recovery for both victims and attackers.

VECT Ransomware Analysis: The Wiper Disguised as Encryption — Source: research.checkpoint.com

Key Technical Flaws

Nonce Handling Disaster

The most significant issue lies in how VECT handles encryption nonces. For any file larger than 131,072 bytes (128 KB), the ransomware splits the content into four chunks. However, three out of four decryption nonces are discarded during encryption. This means that even the encryption key holders cannot recover the data—full recovery is impossible for anyone, including the attacker. For files exceeding the 128 KB threshold, which includes virtually all enterprise-relevant data, VECT effectively acts as a wiper. CPR confirmed this flaw across all publicly available VECT versions.

Cipher Misidentification

Multiple widely cited threat intelligence reports, as well as VECT's own advertising, claimed the ransomware uses ChaCha20-Poly1305 AEAD (Authenticated Encryption with Associated Data). In reality, VECT employs raw ChaCha20-IETF (RFC 8439) with zero authentication—no Poly1305 MAC and no integrity protection. This misidentification led analysts to overestimate the ransomware's sophistication and security guarantees.

Unimplemented Features

VECT advertises three encryption speed modes via command-line flags: --fast, --medium, and --secure. These flags are present across Linux and ESXi variants but are parsed and then silently ignored. Every execution applies identical hardcoded thresholds, rendering the speed selection feature purely cosmetic.

Background on VECT Ransomware

VECT first appeared in December 2025 as a Ransomware-as-a-Service (RaaS) offering on a Russian-language cybercrime forum. Its initial victims were claimed in January 2026. The group gained notoriety in March 2026 following a partnership announcement with TeamPCP, the actor behind several supply-chain attacks that injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx. These attacks compromised a large base of downstream consumers. Shortly after the supply-chain attacks made headlines, VECT posted on BreachForums, announcing their partnership with TeamPCP to target the affected companies.

Additionally, VECT partnered with BreachForums itself, promising every registered forum user an affiliate status. This strategy aimed to democratize access to the ransomware, its negotiation platform, and leak site—a departure from traditional exclusive affiliate programs.

Cross-Platform Codebase

VECT targets Windows, Linux, and ESXi platforms. CPR identified that all three variants share an identical encryption engine built on libsodium. The same file-size thresholds, four-chunk logic, and nonce-handling flaw appear across all versions. This confirms a single codebase ported across platforms, indicating that the developers reused code without platform-specific optimization or testing.

Operational Amateurism

Beyond the critical nonce flaw, CPR discovered multiple additional bugs and design failures:

Self-cancelling string obfuscation: The obfuscation routines cancel each other out, leaving strings readable.
Unreachable anti-analysis code: Code paths designed to hinder analysis are permanently dead code and never executed.
Inefficient thread scheduler: The custom thread scheduler actively degrades encryption performance it was meant to improve, likely due to race conditions or poor thread management.

These issues paint a picture of a ransomware operation that, despite a professional facade, suffers from amateur-level software development. The attackers invested time in marketing and partnerships but neglected core reliability and security.

Implications for Victims and Incident Responders

Organizations affected by VECT should understand that encrypted files above 128 KB are unrecoverable—even if the ransom is paid. The wiper nature of the ransomware means that backups and business-critical data are likely permanently lost. Incident response teams should prioritize data recovery from intact backups rather than attempting to decrypt affected files. The lack of integrity protection also means that tampering with encrypted data cannot be detected, potentially leading to further corruption if recovery attempts are made with flawed tools.

Conclusion

VECT ransomware exemplifies how a high-profile RaaS operation can be undermined by fundamental technical errors. The nonce handling flaw transforms what should be an encryption tool into a wiper for virtually all enterprise data. Combined with misidentified ciphers, unimplemented features, and amateur-level bugs, VECT stands as a cautionary tale for both cybercriminals and defenders. For security professionals, it underscores the importance of deep technical analysis to understand the true nature of emerging threats.

Tags: