Vect 2.0 Ransomware: A Wiper by Design, Due to Critical Implementation Flaws
In a startling revelation, researchers from Check Point have uncovered that Vect 2.0 ransomware, a program notorious for its ransomware-as-a-service (RaaS) model, possesses an alarming flaw that not only encrypts compromised files but erases them entirely. This critical error renders file recovery impossible, even for the very offenders utilizing this software.
The Vect ransomware made its entrance into the cybercrime landscape in December 2025, initially surfacing on a Russian-language forum dedicated to illicit activities. Security researchers began their investigation of the ransomware’s capabilities in early January 2026, which led to shocking findings. The Check Point Research team highlighted a significant flaw in the encryption mechanism that is likely an unintended consequence of coding errors.
This ransomware variant gained considerable notoriety after its developers announced a collaboration on BreachForums with TeamPCP, a notorious group involved in multiple supply-chain attacks, including notable incidents against software products like Trivy, Checkmarx’s KICS, LiteLLM, and Telnyx. The partnership between Vect and TeamPCP was solidified in March and April 2026, enhancing the capabilities of Vect in executing increasingly complex cyber-attacks.
The burgeoning threat posed by Vect was compounded by the announcement of its collaboration with BreachForums itself, which allowed registered users on the forum to access Vect’s ransomware tools, negotiation frameworks, and leak sites. According to the Check Point researchers, this partnership was fully operational as of April 2026, indicating a shift in the ransomware landscape with widespread access to powerful tools for cybercriminals.
Technology and Ambitious Features Falter
Launched in February 2026, Vect 2.0 was purportedly constructed from the ground up in C++. Its ransomware lockers support a variety of platforms, including Windows, Linux, and VMware ESXi hypervisors. In its promotional materials, Vect promised advancements like dedicated ‘cloud lockers’ geared toward cloud storage services, to be accessible to affiliates following completion of specialized quizzes or puzzle challenges in the near future.
Upon obtaining the Vect ransomware builder via BreachForums, the Check Point research team conducted thorough analyses on the software, focusing on three distinct payloads developed for Windows, Linux, and ESXi hosts. It was discovered that files exceeding 128 KB in size were not simply encrypted, but rather permanently erased. This drastic shortcoming stemmed from a critical flaw in the encryption method, which discards three out of four essential decryption nonces—unique one-time numbers crucial for ensuring each encryption session is distinct.
The research highlighted that Vect’s encryption mechanism employed a raw ChaCha20-IETF cipher devoid of any authentication—a far cry from the previously advertised ChaCha20-Poly1305 AEAD system. This omission is grave, particularly given the importance of integrity protection in cryptographic algorithms. Consequently, the Check Point team classified Vect as a wiper for virtually any file containing valuable data, including enterprise assets like virtual machine (VM) disks, databases, documents, and backup files.
The researchers confirmed that this flaw was pervasive across all publicly accessible versions of Vect ransomware and across the targeted operating systems of Windows, Linux, and ESXi. Identical designs in the encryption mechanisms and the aforementioned nonce-handling flaw across platforms suggested that a single codebase was merely adapted for different uses.
Additional Bugs and Design Failures
In their analysis, the Check Point team identified various other bugs and design failures across all variants of the Vect ransomware. These included issues such as self-cancelling string obfuscation, unreachable anti-analysis code, and a thread scheduler that inadvertently degraded encryption performance rather than enhancing it.
The conclusion drawn in the Check Point report underscored the disparity between the ambitious threat profile that Vect projected, characterized by its multi-platform support, active affiliate network, and an impressive operator panel, and the stark realities of its technical shortcomings. While Vect 2.0 may evoke a sense of imminent danger within the cybercrime arena, its flawed implementation has inadvertently diminished its operational efficacy, potentially complicating the attackers’ own recovery efforts.
As the cybersecurity community continues to monitor this evolving threat, the revelations around Vect 2.0 serve as a potent reminder of the inherent risks associated with ransomware operations, where even the most sophisticated systems can succumb to fundamental coding errors.