VECT 2.0 ransomware destroys large files instead of encrypting them, researchers warn
6 min. read 
Published on
VECT 2.0 is being sold as ransomware, but new analysis shows it can permanently destroy large files on Windows, Linux, and VMware ESXi systems. Check Point Research found that the malware breaks its own encryption process for files larger than 131,072 bytes, which is 128 KB.
The issue means many affected files cannot be decrypted, even by the attackers. Paying a ransom would not restore critical data if the lost encryption material no longer exists.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This makes VECT 2.0 more dangerous than ordinary ransomware in real-world incidents. It still drops ransom notes and uses extortion tactics, but for many business files, it behaves like a wiper.
What makes VECT 2.0 different
Ransomware usually locks files and keeps the information needed to unlock them. VECT 2.0 fails at that basic model because it discards important encryption values while processing larger files.
Check Point Research found the same core flaw across the Windows, Linux, and ESXi versions. That matters because VECT 2.0 targets regular endpoints, servers, and virtualized environments used by enterprises.
The affected file size threshold is low. Many documents, spreadsheets, images, databases, archives, backups, and virtual machine files exceed 128 KB, so the issue can hit data that companies rely on most.
At a glance
| Item | Details |
|---|---|
| Threat name | VECT 2.0 |
| Threat type | Ransomware-as-a-Service with wiper-like behavior |
| Affected platforms | Windows, Linux, VMware ESXi |
| File size affected | Files larger than 131,072 bytes, or 128 KB |
| Main risk | Large files can become permanently unrecoverable |
| Encryption issue | The malware keeps only one of four required nonces for large files |
| Recovery outlook | Payment cannot restore files if required nonces were discarded |
How the encryption flaw destroys files
VECT 2.0 uses ChaCha20-IETF encryption through the libsodium cryptographic library. Check Point says earlier public claims describing the malware as using ChaCha20-Poly1305 were incorrect.
For small files, the malware encrypts the full file in one pass and stores the required nonce at the end of the file. That design can allow decryption if the attacker has the correct key.
For larger files, VECT splits the file into four chunks and encrypts those chunks separately. Each chunk receives a fresh 12-byte nonce, but the malware only saves the final one. The first three are overwritten and lost.
Why paying does not solve the problem
ChaCha20 needs the correct key and the matching nonce to reverse encryption. If the nonce disappears, the file cannot be fully restored through normal decryption.
That is why VECT 2.0 creates a serious recovery problem. For large files, three of the four encrypted chunks lose the information needed for recovery. The attackers cannot hand over what their own malware failed to store.
In practical terms, the ransom demand can become meaningless. A victim may pay and still lose large files because the malware damaged them during encryption.
Windows, Linux, and ESXi behavior
The Windows version targets local, removable, and network-accessible storage. It also includes persistence, cleanup, and lateral movement functions, including methods based on WMI, DCOM, SMB, scheduled tasks, services, and PowerShell remoting.
The Windows locker also contains anti-analysis checks aimed at security tools and debuggers. However, Check Point found that some of those checks exist in the compiled malware but do not actually run in the analyzed build.
The ESXi version targets VMware environments and defaults to the /vmfs/volumes path. It can also attempt SSH-based lateral movement. The Linux version uses much of the same codebase as the ESXi variant, but with a smaller feature set.
VECT 2.0 is trying to scale through affiliates
VECT 2.0 appeared as a Ransomware-as-a-Service operation in late 2025 and rebranded with a more polished public-facing identity. DSCI described it as using an “Exfiltration / Encryption / Extortion” model.
The group has also promoted partnerships with BreachForums and TeamPCP. Check Point said VECT promised access to its ransomware platform for registered BreachForums users, which could lower the barrier for less skilled attackers.
Dataminr described the VECT, BreachForums, and TeamPCP arrangement as part of a broader move toward industrialized ransomware deployment. The concern is not only the current malware quality, but the distribution network behind it.
Why security teams should take it seriously
VECT 2.0 appears technically flawed, but that does not make it harmless. The malware can still disrupt systems, rename files, drop ransom notes, and destroy data.
It also supports multi-platform attacks, which creates risk for organizations running mixed Windows, Linux, and ESXi infrastructure. In VMware environments, damage to virtual machine files can affect many workloads at once.
The group could also improve future versions. If the operators fix the broken encryption logic while keeping the same affiliate and supply-chain access channels, VECT could become a more conventional ransomware threat.
Recommended actions for organizations
- Do not treat ransom payment as a reliable recovery option in VECT 2.0 incidents.
- Keep offline and immutable backups for critical systems.
- Test backup restoration regularly, especially for databases, archives, and virtual machine images.
- Monitor for the .vect file extension and VECT ransom notes.
- Check for suspicious lateral movement through SSH, WMI, DCOM, SMB, scheduled tasks, and PowerShell remoting.
- Rotate credentials that may have been exposed through supply-chain compromise.
- Segment ESXi hosts and restrict administrative access to hypervisors.
- Review endpoint detections for safe-mode persistence and attempts to disable security tools.
Enterprise impact
The biggest impact comes from the mismatch between VECT’s ransom message and its actual technical behavior. Victims may think they are negotiating for a decryptor, but many important files may already be beyond recovery.
This changes the incident response priority. Organizations should focus on containment, forensic review, credential rotation, and restoration from clean backups instead of relying on negotiation.
The case also shows how new ransomware groups can look professional while still making severe engineering mistakes. A polished leak site, affiliate panel, and dark web marketing do not prove that the malware works as advertised.
FAQ
VECT 2.0 is a Ransomware-as-a-Service operation that targets Windows, Linux, and VMware ESXi systems. It uses extortion tactics and claims to encrypt victim data.
VECT 2.0 has separate variants for Windows, Linux, and VMware ESXi. The same large-file encryption flaw affects all three.
Payment cannot guarantee recovery. If VECT 2.0 destroyed the required nonce data, the attackers cannot provide a working decryptor for affected large files.
For files larger than 128 KB, VECT 2.0 discards three required encryption nonces. Without those values, large files cannot be fully decrypted.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages