VECT: Ransomware by design, Wiper by accident

Check Point Research published a deep technical analysis of VECT 2.0, a Ransomware-as-a-Service that emerged in December 2025. Despite an ambitious multi-platform design targeting Windows, Linux, and VMware ESXi, the ransomware contains a critical implementation flaw: when encrypting files larger than 128 KB, it generates four separate ChaCha20-IETF nonces per file but only saves the last one to disk, permanently destroying the first three quarters of every large file. This makes VECT function as a data wiper rather than recoverable ransomware — victims who pay cannot receive a working decryptor for their most critical files. Additional flaws include advertised encryption speed modes (--fast, --medium, --secure) that are parsed but never applied, anti-analysis routines compiled but never called, a double-XOR obfuscation that cancels itself out, and an excessively aggressive thread scheduler. The group also partnered with TeamPCP (responsible for supply-chain attacks on Trivy, KICS, LiteLLM, and Telnyx) and opened affiliates to all BreachForums users. CPR notes the distribution infrastructure already exists and the bugs could be fixed in a future version.