VECT 2.0 Ransomware's Critical Encryption Flaw Turns It Into a Permanent Wiper for Large Files
Check Point Research reveals that VECT 2.0 ransomware permanently destroys files larger than 128 KB due to a nonce-handling bug in its ChaCha20-IETF implementation, making recovery impossible even for the attackers.
Check Point Research (CPR) has uncovered a critical flaw in the VECT 2.0 version of the VECT ransomware that renders it a permanent wiper for any file larger than 128 KB, rather than a recoverable encryptor. The bug, present in all three platform variants (Windows, Linux, and ESXi), stems from a mishandling of decryption nonces in the ChaCha20-IETF cipher implementation. For every file above 131,072 bytes, the encryption engine discards three out of four nonces needed for decryption, making full data recovery impossible for anyone — including the attackers themselves.
The flaw is rooted in VECT's file-splitting logic. The ransomware divides large files into four chunks, encrypting each with a unique nonce. However, due to a critical error in the nonce-handling code, only the nonce for the final chunk is written to disk. The nonces for the first three chunks are never stored, effectively destroying the ability to decrypt those portions. Since the threshold is set at just 128 KB, this means virtually any file containing meaningful data — including VM disks, databases, documents, and backups — is permanently corrupted upon encryption.
CPR confirmed that this flaw is identical across all publicly available VECT versions and across all three platform variants. The shared codebase, built on the libsodium cryptographic library, ensures the bug affects every supported platform equally. The researchers also discovered that the cipher is misidentified in public reporting: VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in several threat intelligence reports and VECT's own advertisements. There is no Poly1305 MAC and no integrity protection.
Beyond the encryption flaw, CPR identified multiple additional bugs and design failures. Advertised encryption speed modes (--fast, --medium, --secure) are parsed but silently ignored, with every execution applying identical hardcoded thresholds regardless of operator selection. The researchers also found self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actively degrades the encryption performance it was meant to improve.
VECT is a Ransomware-as-a-Service (RaaS) program that first appeared in December 2025 on a Russian-language cybercrime forum. After claiming its first two victims in January 2026, the group gained attention through a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026 that injected malware into popular software packages such as Trivy, Checkmarx's KICS, LiteLLM, and Telnyx. VECT also announced a partnership with BreachForums, promising every registered forum user affiliate access to the ransomware, negotiation platform, and leak site.
Despite these ambitious moves, VECT's leak site currently lists only two victims, both originating from the TeamPCP supply chain attacks. The group claims to have built all three lockers from scratch, with version 2.0 released in February 2026 supporting Windows, Linux, and ESXi hypervisors. A forum post also mentions dedicated "Cloud Lockers" for affiliates who prove their skills through a quiz or puzzle challenge.
The discovery of this critical encryption flaw underscores the gap between VECT's professional facade and its amateur execution. As CPR notes, the ransomware is not a technically sophisticated service, and the nonce-handling bug effectively makes it a wiper for any organization that falls victim. This finding also highlights the importance of rigorous cryptographic implementation review in ransomware analysis, as even a single nonce-handling error can render an entire encryption scheme irrecoverable.