VECT: Ransomware by design, Wiper by accident
Essential information
- Published
- 28/04/2026 18:34
- Modified
- 29/04/2026 07:14
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- chacha20 encryption flaw esxi lateral movement multi-platform raas teampcp vect wiper
- Tags
- 2026-04-28 chacha20 encryption flaw esxi lateral movement multi-platform raas teampcp vect wiper
- Related entities
- 8 indicators, 8 observables, 1 intrusion sets (apt), 21 techniques (mitre), 1 malware, 1 others
Description
Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves one of four decryption nonces required for large files, making recovery impossible even after ransom payment. VECT's encryption speed modes are non-functional, thread scheduling degrades performance, and anti-analysis code is unreachable. Despite partnerships with TeamPCP and BreachForums for distribution, the technical implementation demonstrates amateur execution behind a professional facade. The nonce-handling flaw exists across all platform variants since initial deployment, effectively transforming this ransomware into a wiper for enterprise assets including VM disks, databases, and backups.