{
  "name": "VECT: Ransomware by design, Wiper by accident",
  "slug": "vect-ransomware-by-design-wiper-by-accident",
  "description": "Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves one of four decryption nonces required for large files, making recovery impossible even after ransom payment. VECT's encryption speed modes are non-functional, thread scheduling degrades performance, and anti-analysis code is unreachable. Despite partnerships with TeamPCP and BreachForums for distribution, the technical implementation demonstrates amateur execution behind a professional facade. The nonce-handling flaw exists across all platform variants since initial deployment, effectively transforming this ransomware into a wiper for enterprise assets including VM disks, databases, and backups.",
  "published": "2026-04-28T16:34:45.021000+00:00",
  "created_at": "2026-04-29T07:14:30.688000+00:00",
  "modified_at": "2026-04-29T05:14:30+00:00",
  "created_at_opencti": "2026-04-29T07:14:30.688000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "chacha20",
    "encryption flaw",
    "esxi",
    "lateral movement",
    "multi-platform",
    "raas",
    "teampcp",
    "vect",
    "wiper"
  ],
  "tags": [
    "2026-04-28",
    "chacha20",
    "encryption flaw",
    "esxi",
    "lateral movement",
    "multi-platform",
    "raas",
    "teampcp",
    "vect",
    "wiper"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "51d92c06-bb08-4c36-9142-e1030a6e07de",
        "name": "8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d"
      },
      {
        "id": "706357dd-4451-4259-afe1-cbdd8aac2725",
        "name": "58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd"
      },
      {
        "id": "23c8a0ff-654a-486c-a6ff-d1f1665f9a82",
        "name": "9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f"
      },
      {
        "id": "74da35c5-5161-4f1a-878b-b0f57c3b5015",
        "name": "a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2"
      },
      {
        "id": "c3e50070-7dc5-459e-b6ed-535925879af7",
        "name": "e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a"
      },
      {
        "id": "dfd670a8-86e8-4342-a637-e042e8de307f",
        "name": "vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion"
      },
      {
        "id": "8ab873d7-ff35-4bf8-9795-a5d4e45d750a",
        "name": "e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06"
      },
      {
        "id": "bd19ec54-7977-474d-904e-28da69627749",
        "name": "http://vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion/chat/REDACTED"
      }
    ],
    "intrusion_sets": [
      {
        "id": "1b608b20-d5e9-404a-9c5d-cc5e78982e69",
        "name": "Vect",
        "slug": "vect"
      }
    ],
    "attack_patterns": [
      {
        "id": "f65930b0-5581-4f3d-a367-a86ac78f407b",
        "name": "T1021.004"
      },
      {
        "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067",
        "name": "T1047"
      },
      {
        "id": "ab1a2f00-2489-4c89-af29-e767f5fa5a23",
        "name": "T1070.003"
      },
      {
        "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3",
        "name": "T1021.002"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "9643a7e9-771b-4396-83a3-26fcec5200e4",
        "name": "T1021.006"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "24fce7f6-f946-4b89-afde-c02b62734093",
        "name": "T1529"
      },
      {
        "id": "c998d878-b668-40dd-a84c-9ca7f73caaa4",
        "name": "T1497.003"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "da44e22e-1925-42e4-b30d-ac38860d39bb",
        "name": "T1070.001"
      },
      {
        "id": "92638d02-76de-4e4f-bac4-2f318e7b8ce9",
        "name": "T1070.002"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "b9a5c9cf-0131-463e-bde2-b5ff153274ea",
        "name": "T1561.001"
      },
      {
        "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5",
        "name": "T1135"
      }
    ],
    "malware": [
      {
        "id": "aaef5344-78d3-4693-87de-f5b5c55783e1",
        "name": "Vect",
        "slug": "vect"
      }
    ],
    "observables": [
      {
        "id": "04e0061b-83a7-4493-87eb-4ed946cca1fc",
        "name": "vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion"
      },
      {
        "id": "ad53afb0-3f85-4dbd-aee7-7a4174a144f1",
        "name": "http://vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion/chat/REDACTED"
      },
      {
        "id": "",
        "name": "8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d"
      },
      {
        "id": "",
        "name": "58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd"
      },
      {
        "id": "",
        "name": "9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f"
      },
      {
        "id": "",
        "name": "a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2"
      },
      {
        "id": "",
        "name": "e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a"
      },
      {
        "id": "",
        "name": "e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion"
      }
    ]
  },
  "external_refs": [
    {
      "id": "e0f6a0fe-c88a-4376-a877-2bd5c1eeb8d2",
      "standard_id": "external-reference--de408ed1-7246-57e3-8501-0820f6cd899a",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/",
      "hash": null,
      "external_id": null,
      "created": "2026-04-29T07:14:28.173Z",
      "modified": "2026-04-29T07:14:28.173Z",
      "createdById": null
    },
    {
      "id": "44690aa6-25c3-470d-a397-4671531b6013",
      "standard_id": "external-reference--fd00861b-64af-5059-a772-fa5056dcbfe6",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69f0e1a5f1a168738b4eda1a",
      "hash": null,
      "external_id": "69f0e1a5f1a168738b4eda1a",
      "created": "2026-04-29T07:14:28.148Z",
      "modified": "2026-04-29T07:14:28.148Z",
      "createdById": null
    }
  ]
}