Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error

THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error The emerging ransomware has been deployed against victims of the TeamPCP supply chain attacks, but organizations should think twice before paying for a decryptor. Elizabeth Montalbano,Contributing Writer April 29, 2026 6 Min Read SOURCE: VITTAYA PINPAN VIA SHUTTERSTOCK The latest variant of an emerging ransomware may be far more destructive than its operators intended, acting as a wiper that deletes many of an organization's captured files instead of encrypting them, as typical ransomware does. This scenario makes recovery impossible for defenders while complicating the possibility of holding files for ransom for the attackers. The Vect 2.0 variant of the ransomware-as-service (RaaS) operation, which first appeared last December, has a flaw across its versions for Windows, Linux, and VMware ESXi that inadvertently and permanently destroys so-called "large files" rather than encrypting them, according to a report published this week by Check Point Software.  For all files of only 128KB or higher, "this effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included," according to the report. Check Point has confirmed that the flaw, which "discards three of four decryption nonces for every file above 131,072 bytes (128 KB)," is identical across all three platform variants.  Related:Feuding Ransomware Groups Leak Each Other's Data The Vect Flaw, Unpacked The flaw exists because, according to Vect's ChaCha20-IETF encryption scheme, the malware encrypts four independent chunks of each "large file" using four freshly generated random 12 byte nonces, but appends only the final nonce to the specific encrypted file on disk, according to Check Point.  "The first three nonces, each required to decrypt its respective chunk, are generated, used, and silently discarded," according to the report. "They are never stored on disk, in the registry, or transmitted to the operator." ChaCha20-IETF requires both the 32 byte key and the exact matching 12 byte nonce to unlock each chunk of data, so the first three quarters of every large file are unrecoverable by anyone — even the ransomware operators themselves. "Since the vast majority of operationally critical files exceed this 'large-size' threshold, Vect 2.0 functions in practice as a data wiper with a ransomware facade," according to Check Point. The variant also demonstrates other incomplete implementation issues, such as: encryption modes that are parsed but never applied, string obfuscation routines that accidentally cancel themselves out, and a cipher that is incorrectly described in public reporting, according to the report. Attackers and Defenders Both Affected The wiper flaw creates a scenario where a decryption key is utterly useless. For this reason, it's likely that it was not the intention of the operators to create a wiper instead of ransomware, since "once that becomes known, people will be less likely to pay the ransom," Eli Smadja, group manager, products R&D at Check Point, tells Dark Reading. Related:North Korea's Lazarus Targets macOS Users via ClickFix For defenders, this makes the situation slightly worse, as they no longer will be able to recover all of their files, even if they agree to pay the ransom to do so, Check Point says. "Victims who pay the ransom cannot receive a working decryptor for their largest files, not through operator deception, but because the information required for decryption was irrecoverably destroyed at the moment of encryption." They probably wouldn't realize they can't recover files only after the ransom is paid and their decryption key doesn't work, which is why Check Point found it so important to report the flaw in Vect, Smadja says. In essence, "victims who pay get nothing back," according to a separate post by researchers at Secure.com, in response to the Check Point findings. This is especially troubling because Vect targets organizations that have critical operational or personal data and often limited downtime tolerance, including those in the manufacturing, education, healthcare, and technology sectors, reads the post. Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets "These are exactly the environments where file destruction, not mere encryption, causes the most irreversible damage," the team at Secure.com wrote. Vect's Ambitious Start Gone Wrong  Vectr ransomware first appeared on a Russian-language cybercrime forum late last year and quickly claimed its first two victims in January 2026, according to Check Point. Last month, the group again gained attention when it unveiled a partnership with TeamPCP, the actor behind several recent supply-chain attacks that injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM and Telnyx, affecting a large base of downstream consumers.  "Shortly after these attacks made headlines, VECT made a post on BreachForums, announcing their partnership with TeamPCP, with the goal to exploit the companies affected by those supply chain attacks," according to Check Point. At the time, a researcher told Dark Reading that the alliance was a boon in that it would give them access to potentially millions of victims who can be infected with their ransomware through TeamPCP's RAT. The flaw in Vect 2.0 may put a dent in plans to collect ransoms on any of those potential victims, however. Combined with the other issues found in its latest ransomware variant, Check Point's findings "paint a picture of a group with operational ambition, reflected in the BreachForums open-affiliate model and the TeamPCP supply-chain campaign, but with cryptographic and software engineering maturity that does not match the scale of the operation they are attempting to run," the report stated. Extra Caution for Organizations Because paying a ransom does not work with Vect 2.0, organizations must focus on prevention and recovery preparation to mitigate any damage that can occur if they're on the receiving end of an attack by the RaaS group. "Prevention is the better path — this goes from training employees in social engineering awareness to vulnerability management, comprehensive security monitoring, e.g. through EDRs, and proven incident response plans," Smadja says. Moreover, defenders should maintain offline, immutable backups stored completely separate from the organization's primary network and test restoration procedures regularly, according to Secure.com. The company also recommended that those using ESXi isolate management interfaces from the rest of the network, limit which accounts can access virtualization infrastructure, and apply strict multi-factor authentication on all administrative logins. For Windows systems, security teams should monitor for PowerShell-based disabling of Windows Defender, event log clearing activity, and suspicious safe-mode boot configuration changes, all of which are key behavioral indicators of Vect ransomware and will alert them early to a problem. Finally, all organizations should validate the integrity of third-party software dependencies. According to Secure.com, "Given Vect's partnership with TeamPCP, supply chain compromise is a confirmed entry vector." Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBER RISK 20-Year-Old Malware Rewrites History of Cyber Sabotage byJai Vijayan APR 27, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS