Broken VECT 2.0 ransomware wipes large files instead of encrypting
▼ Summary
– VECT 2.0 ransomware has a flaw in its encryption nonce handling that permanently destroys larger files instead of encrypting them.
– VECT operators partnered with TeamPCP, a threat group behind supply-chain attacks on Trivy, LiteLLM, Telnyx, and the European Commission.
– Due to the nonce flaw, only the last 25% of a file is recoverable, and the lost nonces are not sent to the attackers, making decryption impossible even for ransom payment.
– Most valuable enterprise files, such as VM disks, databases, and backups, exceed 128 KB, making VECT’s impact catastrophic as a data wiper.
– The nonce-handling flaw exists in all VECT 2.0 variants, including Windows, Linux, and ESXi, causing the same data-wiping behavior across platforms.
Security researchers have uncovered a critical flaw in the VECT 2.0 ransomware that causes it to permanently destroy large files instead of encrypting them. This bug, rooted in how the malware handles encryption nonces, means that for many victims, the attack is more of a data wiper than a ransomware infection.
The VECT ransomware has been actively promoted on a recent iteration of BreachForums. The operators invited registered users to become affiliates, distributing access keys via private messages to those who expressed interest. At one point, the VECT team announced a partnership with TeamPCP, the threat group behind recent supply-chain attacks on Trivy, LiteLLM, and Telnyx, as well as an incident targeting the European Commission. According to the announcement, VECT’s goal was to exploit victims of those supply-chain compromises by deploying ransomware payloads in their environments and to conduct larger supply-chain attacks against other organizations.
The flaw lies in how VECT 2.0 processes encryption for files larger than 128 KB. To speed up encryption, the ransomware divides such files into four chunks and encrypts each chunk using a unique nonce (a number used once). However, because all chunk encryptions use the same memory buffer for the nonce output, each new nonce overwrites the previous one. Once all chunks are processed, only the last nonce remains in memory, and only that one is written to disk.
This means that only the final 25% of a large file is recoverable. The previous three chunks are permanently lost because their nonces have been overwritten and are not stored anywhere. Critically, those lost nonces are not transmitted to the attacker either. So even if the VECT operators wanted to decrypt files for victims paying the ransom, they would be unable to do so.
Check Point researchers, who analyzed the malware, note that since most valuable enterprise files,including virtual machine disks, database files, and backups,exceed 128 KB, VECT’s impact as a data wiper can be catastrophic. “At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point stated.
The same nonce-handling flaw is present across all variants of VECT 2.0, including those targeting Windows, Linux, and ESXi systems. This means the data-wiping behavior applies universally, making the ransomware a particularly destructive threat for any organization it successfully infiltrates.
(Source: BleepingComputer)
