Ddos 
A new investigation by Check Point Research (CPR) has revealed that the “ambitious” VECT 2.0 ransomware—currently targeting Windows, Linux, and ESXi systems—is fundamentally broken. While the group behind the malware aims for large-scale distribution through an open-affiliate model, a series of critical engineering blunders has transformed their “encryption” tool into a permanent data wiper.
The report details a threat actor with high operational goals but a “cryptographic and software engineering maturity that does not match the scale of the operation they are attempting to run”.
The most alarming discovery is a critical flaw in how VECT handles any file larger than 128 KB. Due to an identical error across all three platform variants, the ransomware effectively destroys data rather than securing it for ransom.
As Check Point Research details, “A critical flaw in the encryption implementation… discards three of four decryption nonces for every file above 131,072 bytes (128 KB). Full recovery is impossible for anyone, including the attacker”.
For enterprise victims, this is a worst-case scenario. Common assets such as virtual machine disks, databases, and backups—which almost always exceed the 128 KB threshold—are “irrecoverably destroyed at the moment of encryption”.
The technical gap between VECT’s marketing and its actual code is vast. While initial advertisements and some public threat intelligence reports claimed the ransomware used sophisticated ChaCha20-Poly1305 AEAD encryption, CPR’s analysis found a much more reckless implementation.
The malware actually uses raw ChaCha20-IETF (RFC 8439) with “no authentication” and “no integrity protection”. Although the Linux and ESXi variants offer operators –fast, –medium, and –secure speed modes, these are “parsed and then silently ignored” in favor of identical hardcoded thresholds. The authors even implemented an “overly aggressive thread scheduler that actively harms encryption throughput”.
Despite these severe technical limitations, VECT remains a significant threat due to its aggressive distribution infrastructure, including the TeamPCP supply-chain campaign. CPR warns that the current “wiper” state of the malware may only be a temporary phase.
“The current implementation has severe limitations but those can be corrected in a future version, and the distribution infrastructure to deploy such a version at scale already exists,” the report concludes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
