Researchers have discovered a critical flaw in VECT 2.0 ransomware that causes the malware to act as a data wiper for larger files rather than encrypting them in a recoverable way. The issue stems from how the ransomware handles encryption nonces when processing files larger than 128 kilobytes by splitting them into four chunks. Each chunk encryption overwrites the previous nonce in the same memory buffer, so only the final nonce is written to disk after processing completes.
Consequently, only the last 25 percent of any affected file remains potentially decryptable, with the previous three chunks permanently unrecoverable since their nonces are neither stored nor transmitted to attackers. This means even if victims paid the ransom, the VECT operators would be unable to restore the destroyed data. The flaw exists across all variants including Windows, Linux, and ESXi versions.
VECT has been advertised on BreachForums with operators announcing a partnership with TeamPCP, the threat group responsible for recent supply-chain attacks against Trivy, LiteLLM, Telnyx, and the European Commission. Check Point researchers note that since most valuable enterprise files such as virtual machine disks, databases, and backups exceed 128 kilobytes, the ransomware's destructive impact could be catastrophic in most environments. Routine documents, spreadsheets, and mailboxes also fall above this threshold, meaning virtually nothing victims would want to recover remains safe from this wiping behavior. VECT operators intended to deploy the ransomware payload against victims of TeamPCP's supply chain compromises.
Read more...