{"id":12473,"date":"2026-04-29T10:01:30","date_gmt":"2026-04-29T10:01:30","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/29\/new-vect-2-0-ransomware-destroys-files-over-128-kb-across-windows-linux-and-esxi\/"},"modified":"2026-04-29T10:01:30","modified_gmt":"2026-04-29T10:01:30","slug":"new-vect-2-0-ransomware-destroys-files-over-128-kb-across-windows-linux-and-esxi","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/29\/new-vect-2-0-ransomware-destroys-files-over-128-kb-across-windows-linux-and-esxi\/","title":{"rendered":"New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi"},"content":{"rendered":"

New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A newly documented ransomware strain called VECT 2.0 has drawn serious attention from the cybersecurity community for a deeply damaging flaw in its design. <\/p>\n

Unlike typical ransomware that locks files and demands payment for decryption, VECT 2.0 permanently destroys any file larger than 128 KB, making recovery impossible even if a victim pays the ransom.<\/p>\n

VECT Ransomware first appeared in December 2025 on a Russian-language cybercrime forum, operating as a Ransomware-as-a-Service (RaaS) program. <\/p>\n

The group claimed its first two victims in January 2026 and released version 2.0 in February 2026, expanding its reach across Windows, Linux, and VMware ESXi systems. <\/p>\n

The malware gained more visibility in March 2026 when VECT announced a partnership with TeamPCP, a threat actor behind supply-chain attacks that injected malware into widely-used packages including Trivy, Checkmarx KICS, LiteLLM, and Telnyx, affecting a large number of downstream users.<\/p>\n

Check Point Research analysts identified and analyzed all three VECT 2.0 variants<\/a> after gaining access to the builder panel through a BreachForums account. <\/p>\n

Their investigation uncovered that VECT also entered a partnership with BreachForums itself, giving every registered forum member free access to deploy the ransomware as an affiliate. <\/p>\n

This open-affiliate model removes the usual vetting process, significantly lowering the barrier for less experienced attackers to join the operation. <\/p>\n

\n
\"Partnership
Partnership release page on BreachForums (Source \u2013 Check Point)<\/figcaption><\/figure>\n<\/div>\n

The ransomware is written in C++ and targets all three platforms through statically compiled executables that share a common codebase. <\/p>\n

Each variant uses the ChaCha20-IETF (RFC 8439) cipher via the libsodium cryptographic library and renames encrypted files with the .vect extension, dropping a ransom note named !!!READ_ME!!!.txt on each compromised system. <\/p>\n

Despite its polished builder panel, the technical execution falls well short of a professionally developed ransomware tool<\/a>.<\/p>\n

\n
\"VECT
VECT builder panel (Source \u2013 Check Point)<\/figcaption><\/figure>\n<\/div>\n

The most alarming aspect of VECT 2.0 is a critical coding flaw that effectively turns it into a data wiper. <\/p>\n

Any file exceeding 131,072 bytes (128 KB) is not properly encrypted but instead rendered permanently unrecoverable, targeting the very assets organizations depend on to keep operations running.<\/p>\n

The Nonce-Handling Flaw That Destroys Large Files<\/strong><\/h2>\n

At the heart of the problem is a fundamental error in how VECT 2.0 handles cryptographic nonces during file encryption. <\/p>\n

When the malware processes<\/a> a large file, it divides it into four chunks and encrypts each one using a freshly generated, random 12-byte nonce. <\/p>\n

All four encryption calls write their nonces into the same shared memory buffer, meaning each new nonce overwrites the previous one. <\/p>\n

By the time encryption finishes, only the nonce from the fourth and final chunk survives and gets written to the encrypted file on disk.<\/p>\n

\n
\"Large
Large file processing, 4 chunks encrypted with 4 unique nonces, single nonce appended at EOF (Source \u2013 Check Point)<\/figcaption><\/figure>\n<\/div>\n

Since ChaCha20-IETF decryption requires both the encryption key and the exact matching nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone. <\/p>\n

The discarded nonces are never saved on disk, stored in the registry, or sent to the attacker\u2019s server in any of the three variants. Even if a victim pays the ransom in full, the operator cannot provide a working decryptor because the nonces required for decryption were permanently lost the moment the buffer was overwritten. <\/p>\n

At just 128 KB, this threshold captures virtually every meaningful file type, from VM disk images and databases to backups, spreadsheets, and email archives. <\/p>\n

\n
\"Encryption
Encryption flaw, ESXi version (Source \u2013 Check Point)<\/figcaption><\/figure>\n<\/div>\n

Check Point Research confirmed this flaw is present in all three platform variants and predates the 2.0 release, having existed in earlier deployments without ever being fixed.<\/p>\n

Organizations should keep offline, air-gapped backups that cannot be reached through network shares or lateral movement. <\/p>\n

Monitoring for bulk process terminations, sudden shadow copy deletions, and mass file renaming to the .vect extension can provide early warning of an active infection. <\/p>\n

Given VECT\u2019s partnership with TeamPCP, validating the integrity of third-party software dependencies is also a critical step. <\/p>\n

Security teams<\/a> should watch for PowerShell-based disabling of Windows Defender, event log clearing activity, and unusual safe-mode boot configuration changes, all of which are key behavioral indicators of this ransomware.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n

The post New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi A newly documented ransomware strain called VECT 2.0 has drawn serious attention from the cybersecurity community for a deeply damaging flaw in its design. Unlike typical ransomware that locks files and demands payment for decryption, VECT 2.0 permanently destroys any file […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12473","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12473"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12473"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12473\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}