10 Shocking Facts About the VECT Ransomware That Accidentally Wipes Data
When ransomware groups promise encryption, victims expect a path—however painful—to recovery. But what if the encryption itself is broken beyond repair, leaving everyone—including the attackers—unable to restore files? That's exactly what Check Point Research uncovered in the VECT ransomware family. Originally marketed as a professional RaaS (Ransomware-as-a-Service) with cross-platform support, VECT hides a devastating flaw: for any file larger than 128 KB, the encryption nonces are silently discarded, making decryption impossible. In essence, VECT is a wiper in disguise. Here are ten critical things you need to know about this accidental data destroyer.
1. VECT Ransomware: A RaaS Born in Late 2025
The VECT ransomware first appeared in December 2025 on a Russian-language cybercrime forum, offering affiliates a turnkey extortion platform. Like many modern RaaS operations, it provided encryption tools, a negotiation portal, and a leak site—all under one roof. The group claimed its first two victims in January 2026, quickly gaining notoriety for targeting enterprises across Windows, Linux, and ESXi environments. What set VECT apart was its aggressive marketing: they promised fast, secure, and cross-platform encryption, luring affiliate teams with the allure of easy money. But beneath the polished surface lurked fundamental coding errors that would turn every ransom note into a cruel joke.
2. A High-Profile Partnership with TeamPCP and BreachForums
In March 2026, VECT announced a partnership with TeamPCP, the group behind several supply-chain attacks that injected malware into popular open-source tools like Trivy, KICS, and LiteLLM. This alliance opened the door to a massive pool of compromised organizations already affected by those supply-chain breaches. Shortly after, VECT took to BreachForums to announce that every registered user of the forum would automatically become an affiliate—no vetting, no pressure. This reckless expansion signaled a desperate bid for scale, but it also meant that the flawed encryption now had the potential to cause widespread, irreversible data loss across hundreds of targets.
3. The Critical Flaw: Encryption That Becomes a Wiper
Check Point Research discovered that VECT 2.0 contains a catastrophic bug in its encryption implementation: for any file larger than 131,072 bytes (128 KB), the ransomware permanently discards three out of every four decryption nonces. The nonce—a unique number required to correctly decrypt a ChaCha20 cipher stream—is partially overwritten during the encryption process. Because the nonces are never stored, decryption becomes mathematically impossible. This means that even the attackers themselves cannot recover the data. For files above the 128 KB threshold, VECT doesn't just encrypt—it effectively wipes the data, leaving no chance of restoration regardless of whether a ransom is paid.
4. Misidentification of the Cipher: ChaCha20, Not Poly1305
Multiple threat intelligence reports and VECT's own advertising claimed the ransomware used ChaCha20-Poly1305 AEAD, an authenticated encryption mode that includes a Poly1305 message authentication code (MAC). In reality, VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication at all. There is no Poly1305 MAC, no integrity check. This might seem like a technical footnote, but it has serious consequences: without authentication, victims cannot verify that their encrypted files haven't been tampered with—and more importantly, the absence of a MAC means the nonce flaw went undetected during development. The group got the cipher wrong in their own marketing.
5. Speed Modes That Do Absolutely Nothing
VECT's Linux and ESXi variants feature command-line flags --fast, --medium, and --secure, suggesting that operators can choose between performance and security. In reality, these flags are parsed and then silently ignored. Every execution uses identical hardcoded thresholds regardless of which mode is selected. The advertised speed-versus-security tradeoff is a complete fabrication. This not only misleads affiliates but also hints at a development process that either cut corners or failed to implement basic feature toggles. The result? A one-speed-fits-all encryption that is no faster than the “secure” mode.
6. Identical Flaw on Three Platforms: One Codebase to Rule Them All
VECT offers variants for Windows, Linux, and ESXi (VMware vSphere), but under the hood they are all built from the same flawed engine. Check Point Research confirmed that all three platforms share identical encryption logic based on libsodium, with the same file-size thresholds, the same four-chunk processing, and the same nonce-handling bug. This confirms that VECT is a single codebase ported across operating systems, not a custom build for each. While this might simplify development, it also means that every victim—whether on a desktop, server, or virtual machine—is equally vulnerable to the wiper effect.
7. Professional Facade, Amateur Execution
Despite its slick ransomware-as-a-service front, VECT is riddled with amateur-level coding mistakes beyond the nonce flaw. Researchers found self-cancelling string obfuscation routines that end up revealing the original strings, permanently unreachable anti-analysis code that never executes, and a thread scheduler that actually degrades encryption performance instead of improving it. These bugs suggest the developers either lacked deep experience in secure coding or rushed the product to market. Either way, the result is a tool that promises professionalism but delivers chaos.
8. How the Nonce Discarding Works in Practice
To understand the flaw, we need to look at VECT's file processing logic. For files larger than 128 KB, the ransomware splits the data into four chunks. It generates a single nonce (random value) for the entire file, but only stores the first quarter of that nonce—the remaining three quarters are overwritten during encryption. The ChaCha20 cipher requires the full nonce to decrypt; without it, the output is pure random noise. Even if the victim pays the ransom and obtains the attacker's decryption tool, the tool cannot reconstruct the missing nonce data. The recovery is impossible for any file above the threshold—meaning databases, VM disks, documents, and backups are all permanently lost.
9. Full Recovery Is Impossible—Even for the Attacker
Because the missing nonces are never stored anywhere, decryption is mathematically infeasible for both the victim and the ransomware operators. This is not a case where a skilled researcher might brute-force a key—the information simply does not exist. The threshold of 128 KB is pathetically low: any file containing meaningful data—spreadsheets, images, PDFs, database exports—will exceed that size. As a result, VECT transforms into a wiper for nearly all real-world assets. Enterprises relying on backups should note: those backups, if caught by the ransomware, are equally destroyed. Paying a ransom offers zero hope of data recovery.
10. Additional Bugs and Design Failures
Even if the nonce flaw were fixed, VECT suffers from a half-dozen other issues that undermine its reliability. For example, the encryption is not atomic—an interrupted operation can leave files in an inconsistent state, neither fully encrypted nor fully intact. The anti-analysis code is so obviously dead (e.g., conditional branches that always evaluate the same way) that sandboxes easily bypass it. And the thread-synchronization mechanism is so inefficient that it actually slows down encryption on multi-core systems. Taken together, these failures paint a picture of a product that was never properly tested or reviewed. It's a cautionary tale of what happens when cybercriminals prioritize speed over quality.
Conclusion: The VECT ransomware serves as a stark reminder that even the most dangerous tools can be sabotaged by their own code. While ransomware victims often weigh the risk of paying a ransom against the cost of data loss, VECT removes that choice entirely: if your files exceed 128 KB, they are gone forever. The group's partnerships with supply-chain attackers and open affiliate model raise the stakes, potentially exposing thousands of organizations to irreversible damage. Security teams should monitor for VECT samples and prioritize immutable backups as a defense. In the end, the most effective protection against a wiper—accidental or not—is a robust offline backup strategy.