New ransomware wipes every file larger than 128 KB

Source: Mashable Tech

Overview

A newly identified ransomware strain is accidentally destroying the very files it’s supposed to hold for ransom. Victims who pay receive nothing back.

Cybersecurity firm Check Point Research published findings Tuesday detailing the dangers of VECT 2.0, a Ransomware‑as‑a‑Service operation that first emerged on a Russian‑language cybercrime forum in 2025.

The ransomware contains a critical coding flaw that permanently destroys any file larger than 128 KB rather than encrypting it. That threshold is smaller than a typical email attachment, meaning virtually every file that would matter to a victim—databases, backups, virtual‑machine disks, documents, spreadsheets—is being irreversibly wiped rather than locked.

Technical Details

When VECT scrambles a file, it needs to save a cryptographic nonce—a kind of secret code—that later allows it to unscramble the file.

For larger files, the malware generates four of these nonces. Due to a programming error, it keeps overwriting each new nonce with the previous one in the same slot, like writing four different combinations on a single sticky note and keeping only the last one. By the time the process finishes, three of the four nonces are lost forever, and the corresponding scrambled data becomes permanently unreadable for the victim, security researchers, and the attackers themselves.

Impact

Ransomware typically works by breaking into a computer system, encrypting (scrambling) all the files, and then demanding payment for the decryption key. In this instance, however, paying the ransom is pointless. The attackers literally cannot give the files back because they have inadvertently destroyed the keys needed for decryption.

Additional Issues

Check Point also identified a string of other amateur mistakes baked into the malware, including:

• Advertised features that don’t actually work.
• Security‑evasion tools that are built in but never activated.
• An obfuscation technique that accidentally cancels itself out, making the code easier to read rather than harder.

Distribution and Reach

Despite the technical incompetence, VECT has real reach. The group partnered with BreachForums, one of the internet’s largest hacking communities, to grant every registered user on the platform free access to its ransomware toolkit.

Even though Check Point classifies these attacks as novice work, the large pool of potential attackers armed with a destructive—if broken—weapon is concerning.