Threat hunters are warning that the cybercriminal operation known as VECT 2.0 acts more like a wiper than a ransomware due to a critical flaw in its encryption implementation across Windows, Linux, and ESXi variants that renders recovery impossible even for the threat actors.
The fact that VECT’s locker permanently destroys large files rather than encrypting them means even victims who opt to pay the ransom cannot get their data back, as the decryption keys are discarded by the malware during the time encryption occurs.
“VECT is being marketed as ransomware, but for any file over 131KB – which is most of what enterprises actually care about – it functions as a data destruction tool,” Eli Smadja, group manager at Check Point Research, said in a statement shared with The Hacker News.
“CISOs need to understand that in a VECT incident, paying is not a recovery strategy. There is no decrypter that can be handed over, not because the attackers are unwilling, but because the information required to build one was destroyed the moment their software ran. The focus has to be on resilience: offline backups, tested recovery procedures, and rapid containment – not negotiation.”
VECT (now rebranded as VECT 2.0) is a ransomware-as-a-service (RaaS) scheme that first launched its affiliate program in December 2025. On its dark website, the group displays the message “Exfiltration / Encryption / Extortion,” highlighting its triple-threat business model.
According to an analysis published by the Data Security Council of India (DSCI) last month, a $250 entry fee, payable in Monero (XMR), is required for new affiliates. The fee is waived for applicants from the Commonwealth of Independent States (CIS) countries, indicating an attempt to recruit individuals from the region.
In recent weeks, the group has established a formal partnership with the BreachForums cybercrime marketplace and the TeamPCP hacking group, in a move aimed at further lowering the barrier to entry for ransomware operators and incentivizing affiliates to launch attacks by weaponizing previously stolen data.
“The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass dark web forum mobilization represents an unprecedented model of industrialized ransomware deployment,” Dataminr noted earlier this month.
While the collaboration may be a sign of what’s to come, its data leak site currently lists only two victims, both of which are said to have been compromised via the TeamPCP supply chain attacks. What’s more, contrary to the group’s initial claims of using ChaCha20-Poly1305 AEAD for encryption, Check Point’s analysis has found that it uses a weaker, unauthenticated cipher with no integrity protection.
But it doesn’t end there, for the C++-based lockers for all three platforms suffer from a fundamental design flaw that causes any file larger than 131,072 bytes to be permanently and irrecoverably destroyed, as opposed to being encrypted.
“The malware…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
