Threat hunters have raised alarms regarding a new cybercriminal operation named VECT 2.0. Unlike traditional ransomware, which typically encrypts files for ransom, VECT 2.0 resembles a data-wiping malware due to a critical flaw in its encryption methods across major operating systems like Windows, Linux, and ESXi. This flaw effectively nullifies any possibility of data recovery for victims, even if they decide to pay the ransom.
Eli Smadja, group manager at Check Point Research, emphasized the severity of the situation by explaining that VECT’s locker does not merely encrypt but rather permanently destroys large files. This destruction occurs for any file exceeding 131KB, encompassing most files that organizations handle. Consequently, victims who choose to pay are left without their data, as the ransomware discards the decryption keys at the moment it runs its encryption routine.
“To understand the risk posed by VECT, Chief Information Security Officers (CISOs) must recognize that engaging with the attackers to recover data is a futile strategy,” Smadja stated. He pointed out that the destroyed decryption information means no reliable decryption tool can ever be offered. His advice to organizations is to prioritize resilience through means like offline backups, effective recovery protocols, and swift containment plans, rather than succumbing to ransom negotiations.
VECT, which has been rebranded as VECT 2.0, operates on a ransomware-as-a-service (RaaS) model, having initiated its affiliate program in December 2025. On its dark web platform, the operation promotes a triad approach: “Exfiltration / Encryption / Extortion,” illustrating its multi-faceted strategy aimed at exploiting vulnerabilities for profit.
Interestingly, a recent report by the Data Security Council of India highlighted that becoming an affiliate of VECT requires a $250 fee, payable in Monero (XMR). However, this fee is waived for applicants from Commonwealth of Independent States (CIS) countries, a move that appears to actively encourage recruitment from that region.
In a noteworthy advancement, VECT has forged a formal relationship with BreachForums and TeamPCP, two entities within the cybercrime ecosystem. This partnership lowers entry barriers for aspiring ransomware operators and incentivizes affiliates to launch attacks by leveraging previously stolen data. According to Dataminr, this convergence represents a significant evolution in the industrialized delivery of ransomware attacks, marked by the intersection of large-scale credential theft and the maturing RaaS landscape.
Although VECT claims a growing operational capacity, its data leak site currently showcases only two confirmed victims, both of whom were compromised through TeamPCP supply chain attacks. Additionally, early assertions from the group about using ChaCha20-Poly1305 AEAD for encryption have been debunked. Check Point’s analysis determined that VECT employs a much weaker encryption mechanism lacking proper integrity features.
The underpinnings of VECT’s design further complicate matters. The ransomware’s C++-based lockers across all supported platforms suffer from a critical flaw that leads to irreversible destruction of any file larger than 131KB. During encryption, the malware encrypts four separate chunks of any large file, generating random 12-byte nonces for each chunk. However, only the final nonce is saved; the first three are discarded, rendering them irretrievable and preventing any possibility of restoring the file, even for the cybercriminals themselves.
Check Point explained that because the encryption relies on both a key and matching nonce, the missing nonces mean multiple segments of each large file become permanently lost. This limitation transforms VECT 2.0 into a destructive tool masquerading as a ransomware solution.
In terms of system capabilities, the Windows version of VECT not only encrypts files on local, removable, and networked storage but also includes an extensive suite of anti-analysis features aimed at evading 44 specific security and debugging tools. Its advanced mechanisms enable it to configure future Windows boots into Safe Mode, deploying its executable automatically to enhance persistence.
Meanwhile, the ESXi version implements geo-fencing and anti-debug checks, while also advancing laterally using SSH. The Linux variant shares code with the ESXi version and includes some of its functions. Notably, the geo-fencing feature exits the ransomware operation if it detects execution within a CIS country, a somewhat unusual tactic given the context of the ongoing conflict in Ukraine.
Finally, speculations arise about the experience level of the VECT operators. Check Point research suggests that these actors may not be seasoned cybercriminals, hinting at the potential influence of artificial intelligence in shaping parts of their code. Despite its ambitious threat landscape and claims of a robust affiliate program, the technical execution of VECT 2.0 has fallen short of expectations.
In conclusion, as organizations grapple with the evolving landscape of ransomware threats, understanding the operational mechanics of VECT 2.0 is paramount. Emphasizing resilience and robust security measures will be essential in counteracting such malicious endeavors.