Broken VECT 2.0 ransomware acts as a data wiper for large files
Source: Bleeping Computer
Researchers are warning that the VECT 2.0 ransomware has a problem in the way it handles encryption nonces that leads to permanently destroying larger files rather than encrypting them.
VECT has been advertised on one of the latest BreachForums iterations, inviting registered users to become affiliates and distributing access keys via private messages to those who showed interest.
At some point, VECT operators announced a partnership with TeamPCP, the threat group responsible for the recent supply‑chain attacks impacting Trivy, LiteLLM, and Telnyx, as well as an attack against the European Commission.
.jpg)
Source: Check Point
Faulty ransomware
While this is meant to increase encryption speed for larger files, all chunk encryptions use the same memory buffer for the nonce output, so each new nonce overwrites the previous one. Once all chunks are processed, only the last nonce generated remains in memory and is written to disk. As a result, only the final 25 % of a file is recoverable; the preceding three‑quarters are impossible to decrypt because the nonces have been lost. Those lost nonces aren’t transmitted to the attacker either, so even if VECT operators wanted to decrypt the files for victims paying the ransom, they wouldn’t be able to.
Source: Check Point
.jpg)
Source: Check Point
Check Point notes that, since most valuable enterprise files—including VM disks, database files, and backups—are above 128 KB, VECT’s impact as a data wiper can be catastrophic in most environments.
“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” – Check Point research.
The researchers found that the same nonce‑handling flaw is present across all variants of the VECT 2.0 ransomware, including Windows, Linux, and ESXi, so the data‑wiping behavior applies universally.