Critical Vect Ransomware Flaw Unlocks Data-Wiping Mode

A critical flaw in the Vect 2.0 ransomware has turned the program into an unintentional data wiper, permanently destroying large files rather than encrypting them for ransom. This bug makes recovery impossible for victims and even renders the attackers powerless to restore the data.

The vulnerability, which appears to be an accidental coding error, was uncovered by Check Point Research during an analysis of the latest iteration of the ransomware. Vect operates as a ransomware-as-a-service (RaaS) model, first surfacing in December 2025 on a Russian-language cybercrime forum and catching the attention of security researchers by early January 2026.

The group quickly gained notoriety after announcing a partnership with TeamPCP, the threat actor behind several high-profile supply-chain attacks targeting tools like Trivy, Checkmarx’s KICS, LiteLLM, and Telnyx in March and April 2026. On top of that, Check Point reported that Vect also struck a deal with BreachForums, promising every registered user affiliate status with full access to the ransomware, negotiation platform, and leak site.

“As of April 2026, this partnership is in full effect,” the Check Point researchers noted in a report published on April 28.

Vect 2.0’s Ambitious RaaS Vision Undermined by Poor Code

Claiming to be built from scratch, Vect released version 2.0 of its ransomware lockers in February 2026 following its rapid rise. Written in C++, the lockers support Windows, Linux, and VMware ESXi hypervisors. The group asserts that all three lockers were developed from the ground up.

“Additionally, a forum post mentions that dedicated ‘cloud Lockers,’ likely targeting various cloud storage services, will be made available for affiliates that will prove their skills through a quiz or puzzle challenge in the near future,” the researchers added.

After acquiring the Vect ransomware builder via BreachForums, Check Point analyzed the three payloads and discovered a devastating flaw. Any file larger than 131,072 bytes (128 KB) is permanently destroyed instead of encrypted. This happens because the encryption implementation discards three out of four decryption nonces, the one-time secret numbers essential for ensuring each cryptographic session remains unique.

The researchers found that the cipher used is actually raw ChaCha20-IETF (RFC 8439) with no authentication, not the ChaCha20-Poly1305 AEAD advertised by the group and cited in some threat intelligence reports.

“There is no Poly1305 MAC and no integrity protection. This effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as virtual machine (VM) disks, databases, documents and backups included,” the Check Point team stated.

The flaw is present across all publicly available Vect versions and on all three targeted platforms. All variants share an identical encryption design based on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling bug, “confirming a single codebase ported across platforms,” the report noted.

Beyond the wiping issue, Check Point identified multiple other bugs and design failures in Vect 2.0, including self-cancelling string obfuscation, permanently unreachable anti-analysis code, and a thread scheduler that actually degrades the encryption performance it was meant to improve.

“Vect 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel. In practice, the technical implementation falls significantly short of its presentation,” the Check Point report concluded.