Critical Flaw in Vect 2.0 Ransomware Permanently Destroys Large Files Instead of Encrypting Them
Check Point Research has discovered a critical implementation flaw in Vect 2.0 ransomware that causes it to permanently destroy files larger than 128 KB instead of encrypting them, making recovery impossible even for the attackers.
Check Point Research has uncovered a critical flaw in Vect 2.0 ransomware that turns the malware into a data wiper for large files, permanently destroying them instead of encrypting them. The bug, discovered during an analysis of the latest version of the ransomware, makes recovery impossible — even for the attackers themselves.
The flaw stems from a nonce-handling error in the ChaCha20-IETF cipher implementation used by Vect 2.0. According to the researchers, the ransomware discards three of four decryption nonces — one-time secret numbers that ensure each cryptographic session is unique. This means that for any file larger than 131,072 bytes (128 KB), the encryption process effectively destroys the data rather than securing it.
"There is no Poly1305 MAC and no integrity protection. This effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as virtual machine (VM) disks, databases, documents and backups included," the Check Point researchers noted in their report published on April 28.
Vect is a ransomware-as-a-service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum and was discovered by security researchers in early January 2026. The group quickly gained notoriety after announcing partnerships with TeamPCP — the threat group behind several supply-chain attacks — and BreachForums itself, promising every registered forum user affiliate access to the ransomware, negotiation platform, and leak site.
The researchers confirmed that the encryption flaw is present across all publicly available Vect versions and across all three targeted platforms: Windows, Linux, and VMware ESXi. All variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout, confirming a single codebase ported across platforms.
Beyond the critical encryption flaw, Check Point identified multiple additional bugs and design failures across all Vect variants. These include self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actively degrades the encryption performance it was meant to improve.
"Vect 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel. In practice, the technical implementation falls significantly short of its presentation," the Check Point report concluded.
The discovery highlights the risks inherent in ransomware-as-a-service operations where code quality may vary dramatically. For organizations, the finding underscores the importance of maintaining offline backups and testing recovery procedures, as even paying a ransom would not recover files destroyed by this flawed encryption implementation.