29.04.2026
2 min
179
The new version of the malware, VECT 2.0, behaves not like a classic ransomware, but actually like a wiper. Due to a critical error in encryption, victims’ files are destroyed without the possibility of recovery, even after paying the ransom.
A lot of threat hunters are reporting a “new wave” of ransomware attacks using VECT 2.0. While VECT 2.0 is labeled as ransomware, based on how the malware works, in reality, it acts like a wiper. Because of a major bug in the way that VECT encrypts, it completely destroys user data instead of allowing them to retrieve it — even if the attackers decide to allow the victims to retrieve their data.
While smaller files (less than 131KB) get properly encrypted by VECT, large files don’t get encrypted at all; they become irretrievable. Therefore, if a victim pays the ransom demand, he will find out his data isn’t retrievable, since there is no decryption key for him to use to restore his lost files.
According to Eli Smaja, director of research for Check Point Research, while VECT 2.0 is marketed as ransomware, for any file greater than 131 KB, it serves as a data wiping application. He also noted that paying for a decryption key doesn’t provide any practical value in recovering files due to the fact that the malicious actors lose the ability to produce the decryption keys required to restore the files.
Smaja also stated that in the event of a VECT attack, paying the attackers is not a viable option for restoring your files. “There is no decryptor that can be transmitted,” he said. “Not because the hackers don’t want to send one, but because the data required to perform the decryption process is destroyed by the operation of the malware.”
As previously reported, the VECT project — now being referred to as VECT 2.0 — utilizes a ransomware-as-a-service business model. In December 2025, the affiliate program for VECT was announced. On its darknet website, the team explicitly refers to its approach as “kidnapping, encryption and extortion”, similar to other traditional forms of ransomware attacks which rely upon the classic three-prong pressure model.
For new customers wanting to join the affiliate program, a $250 deposit in Monero currency is offered. However, individuals from countries within the CIS region are excluded from paying the deposit fee. This could be an indication that the developers are attempting to attract users from these specific regions.
The authors of VECT 2.0 have recently increased their activity on various darknet platforms. They have entered partnerships with BreachForums and TeamPCP, making it much easier to initiate attacks and to recruit new affiliates. As per Dataminr’s analysis, the combination of stolen supply chain data, an available RaaS platform and active recruitment provides a dangerous environment for widespread attacks.
Although the developers boast loudly about their accomplishments, only two victims appear to be listed on the leak site associated with VECT 2.0. Both were attacked using TeamPCP’s supply chain attacks.
Of course, we focused our efforts primarily on analyzing the malware’s development and technical design. Although ChaCha20-Poly1305 AEAD encryption appears to be used according to specifications in documentation and marketing materials regarding VECT 2.0, it appears that it is not implemented fully in practice. A simpler encryption method is used, without checking the integrity of the data.
Here is where things go wrong for VECT 2.0: for every large file processed by the malware, it generates four random numbers; however, it only saves one number generated. The three missing numbers would be required for successful data recovery. Thus, approximately three-fourths of each file becomes permanently unavailable.
Therefore, it is apparent that neither the attackers nor anyone else will be able to generate a working decryptor.
It appears that there are versions of the malware available for multiple platforms:
Windows
Linux
ESXi
In addition to those platforms, the Windows version includes a great deal of anti-analysis functionality. It scans dozens of security applications and tools installed on systems and attempts to determine whether they are running in safe mode. It also supports scripting for lateral network propagation.
For instance, with the command line flag “–force-safemode”, VECT 2.0 reboots into safe mode and then runs prior to completing booting up into normal operating mode — at a point in time when most of the protective capabilities are disabled.
However, many of the masking functionalities embedded in the Windows version are not utilized. That offers security professionals opportunities to identify the malware without having to employ additional evasion techniques.
On the other hand, behaviorally speaking, the ESXi version differs significantly. When compared to both Windows and Linux versions of VECT 2.0, the ESXi version includes geolocation-based filtering as well as debugging detection features. Additionally, it spreads across networks using SSH connections.
One interesting aspect concerning geo-filtering involves identifying regions that should be blocked. For example, if VECT 2.0 determines it is operating in a CIS nation, it stops its operation immediately without providing encryption services. The inclusion of Ukraine as part of that list of exceptions would seem anomalous given current trends toward geographic targeting in contemporary ransomware campaigns.
Researchers conclude that either partial portions of VECT were developed using AI technology that was designed utilizing historical/previous data or the developers incorporated elements from older databases and failed to upgrade their algorithms.
Experts generally believe VECT is a somewhat raw project. While VECT boasts numerous positive attributes such as multi-platform support as well as a robust partnership program, its technical execution falls far short of what was intended and/or claimed.
What makes it particularly hazardous is not so much its complexity of deployment but rather the complete lack of an alternative path toward restoring user data.
