A new ransomware strain called VECT 2.0 is raising serious concerns among security professionals, and for a troubling reason \u2014 even if a victim pays the ransom, the attacker\u2019s own decryptor may not fully restore their files. <\/p>\n
This is not a typical failure tied to weak defenses or victim error. The damage, in many cases, is baked directly into the malware\u2019s design and leaves victims with broken files they cannot cleanly recover.<\/p>\n
VECT 2.0 is a 64-bit Windows-based ransomware<\/a> that targets business data including documents, PDFs, archives, backups, databases, and virtual disks. <\/p>\n Rather than targeting only specific file types, it walks accessible paths and skips a short exclusion list, meaning a wide range of important files fall within its scope. The malware is part of a broader family, with related builds also spotted under the DEVMAN 3.0 branding.<\/p>\n Researchers at Morphisec analyzed a Windows VECT 2.0 sample in detail, uncovering how the malware\u2019s own design works against victim recovery. <\/p>\n They found that VECT can leave files renamed, partially encrypted, or structurally broken in ways that defeat even the attacker\u2019s own recovery tool. <\/p>\n Morphisec said in a\u00a0report<\/a>\u00a0shared with Cyber Security News (CSN) that the flaw extends well beyond a previously known nonce-loss bug documented by Check Point Research.<\/p>\n One of the most alarming findings is that VECT renames a file before it begins encrypting it. The malware appends the .vect extension first, then opens the file to modify its content. <\/p>\n This means a file with the .vect extension is not necessarily encrypted at all \u2014 it could be plaintext or only partially changed. That detail makes recovery challenging, since the extension cannot be taken as proof of what happened to any given file.<\/p>\n The malware also stores almost no metadata alongside encrypted files that could assist recovery. It appends only a 12-byte trailer holding the last encryption nonce from the operation, with no version field, no original file size, and no chunk information. <\/p>\n This bare-bones footprint makes it nearly impossible for any decryptor to reconstruct what the malware actually did to each file.<\/p>\n For files larger than 128 KB, VECT splits the content into four sections and encrypts a 32 KB block at the start of each using four different keys. Only the final key is saved to disk when the process finishes. <\/p>\n That means three of the four encrypted blocks are permanently out of reach for the built-in decryptor, because the data needed to reverse them is never retained.<\/p>\n Morphisec also uncovered a buffer-size mismatch in the single-pass encryption path<\/a>. Files between 32 KB and 128 KB can enter a code path where the destination buffer is too small for the incoming data. <\/p>\n Depending on runtime behavior, the file may be renamed without encryption taking place, fail midway through, or end up in an inconsistent state that cannot be cleanly repaired.<\/p>\n VECT uses multiple worker threads to process files at the same time, but the buffers these threads rely on for file paths and content reads are shared globally across all workers. <\/p>\n When two threads handle different files at once, one can overwrite path or content data that another worker is still actively using<\/a>.<\/p>\n This race condition means a single VECT incident can produce files in several very different states. One file might be only renamed, another fully encrypted, and a third left partially modified in a way that neither party can cleanly reverse. <\/p>\n A generic decryptor follows the attacker\u2019s assumptions about file format, but VECT\u2019s own implementation repeatedly violates those assumptions.<\/p>\n Given these risks, security teams are strongly encouraged to deploy prevention-first solutions that can stop ransomware before encryption begins. <\/p>\n Behavioral endpoint protection is far better suited to catching this threat early in the chain. Once files have been processed by VECT, even paying the ransom offers no guarantee of a full recovery.<\/p>\n Indicators of Compromise (IoCs):-<\/strong><\/p>\n The Morphisec report does not list specific file hashes, IP addresses, command-and-control domains, or URLs as traditional IoCs. The sole artifact consistently associated with VECT 2.0 activity is the file extension it appends during processing, noted below for threat hunting and triage purposes.<\/p>\nVECT 2.0 Ransomware<\/strong><\/h2>\n
Shared Buffers and Concurrent Processing Failures<\/strong><\/h2>\n
![\"12-byte](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg1AnK7buWeWvuNIZtgoKQA2nmlK5zfZPZ51ozb8x9BWs7HmUa626CrLHgAJmBHf8xMO5zXyfbPhvHeaCr3RQPLc4klLJU1VoLXTqSySbOP1xfmZCWswZ5oiSD9LaZX6v6GvMzZMSpUy2HO4HSXUSl0Dxn6qzN8lwdKZX2f1RNJvRqJpKi0yRce0-T6Pyw\/s16000\/12-byte%2520ChaCha20-IETF%2520%28Source%2520-%2520Morphisec%29.webp?ssl=1\")