VECT ransomware, a Ransomware-as-a-Service operation, emerged in late 2025 and quickly made headlines through a partnership with the supply-chain attack group TeamPCP. However, Check Point Research discovered a critical flaw in VECT's encryption that renders it effectively a data wiper for most files. This Q&A explains the technical failure, the misidentification of the cipher, and the broader implications for victims and the ransomware ecosystem.
What is the core flaw in VECT ransomware?
At the heart of VECT ransomware is a devastating programming error: it discards three out of four decryption nonces for any file larger than 128 KB. The encryption algorithm, raw ChaCha20 (not ChaCha20-Poly1305 as previously reported), processes each file in four equal-sized chunks. For files exceeding 128 KB, only the first chunk gets a unique nonce; the remaining three chunks share the same nonce. Since ChaCha20 requires a unique nonce per chunk for proper decryption, data beyond the first 128 KB is permanently corrupted. This means that for any file holding meaningful content—VM disks, databases, documents, backups—full recovery is impossible, even for the attackers themselves. The flaw is present across all three platform variants: Windows, Linux, and ESXi, and in all publicly available versions of VECT.
Why is VECT called a wiper by accident?
Although VECT markets itself as ransomware, its encryption flaw turns it into an unintentional wiper for most files. Ransomware typically encrypts data so that only the attacker can decrypt it, creating an incentive for victims to pay. However, VECT's nonce-handling bug means that for any file above 128 KB—which includes virtually all enterprise assets like virtual machine disks, databases, documents, and backups—decryption is mathematically impossible. The attackers cannot restore the data even if the ransom is paid. Only tiny files (under 128 KB) remain recoverable. This means VECT does not hold data hostage; it destroys it. The wiper behavior is not an intentional feature but a consequence of shoddy implementation, making it a threat that leaves victims with no hope of recovery regardless of compliance.
How did initial reports misidentify VECT's cipher?
Multiple widely-cited threat intelligence reports, and even VECT's own advertising, claimed that VECT used ChaCha20-Poly1305 (AEAD) encryption. However, Check Point Research discovered that VECT actually employs raw ChaCha20-IETF as defined in RFC 8439, with no Poly1305 MAC for authentication. This is a critical distinction because ChaCha20-Poly1305 provides both encryption and integrity protection, while raw ChaCha20 alone cannot detect tampering. The absence of Poly1305 means VECT lacks any integrity check, consistent with its overall sloppy design. The misidentification likely originated from how VECT's code structures its encryption calls—developers may have assumed the presence of Poly1305 without verifying the actual implementation. This error underscores the importance of reverse engineering rather than relying on advertising claims or superficial analysis.
What other bugs did Check Point find in VECT?
Beyond the critical nonce flaw, Check Point Research uncovered a laundry list of additional implementation failures. The so-called encryption speed modes—--fast, --medium, and --secure flags available on Linux and ESXi variants—are parsed but silently ignored; every execution uses identical hardcoded thresholds. The code also contains self-cancelling string obfuscation routines that effectively do nothing, permanently unreachable anti-analysis code segments, and a thread scheduler that actively degrades the very performance it was meant to improve. These bugs paint a picture of amateur programming behind a professional facade. Despite operating three distinct platform variants (Windows, Linux, ESXi), VECT uses a single shared codebase ported with the same engine, the same logic, and the same flaws across all three.
Who is behind VECT and how does it operate?
VECT operates as a Ransomware-as-a-Service (RaaS) program, first advertised on a Russian-language cybercrime forum in December 2025. The group claimed its first two victims in January 2026 but gained notoriety after announcing a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026 that compromised popular software packages (Trivy, Checkmarx KICS, LiteLLM, Telnyx). VECT then posted on BreachForums to promote the alliance, aiming to exploit companies affected by those supply-chain attacks. Additionally, VECT partnered with BreachForums itself, promising that every registered forum user would become an affiliate, gaining access to VECT's ransomware, negotiation platform, and leak site. This effectively opened the ransomware to a broad, potentially unvetted user base, further increasing the threat surface.
What is the threshold for file destruction?
The critical file size threshold is 131,072 bytes (128 KB). Any file above this size suffers from the nonce-reuse flaw that destroys three-quarters of its content. Files at or below 128 KB are processed with a unique nonce for each chunk and remain recoverable. However, in enterprise environments, files smaller than 128 KB are rare for meaningful data: virtual machine disk images (VMDK, VHDX), database files (SQL Server, PostgreSQL), large documents (PDFs, Office files with embedded media), and backup archives routinely exceed this size. Consequently, VECT effectively wipes virtually all valuable enterprise assets. Even the attackers cannot recover these files, making the ransomware model self-defeating. This low threshold means that any file containing substantial data is lost forever.
How can organizations protect against VECT?
Protection against VECT—and similar flawed ransomware—requires a multi-layered defense strategy. First, regular backups stored offline or in immutable storage remain the ultimate safeguard; if VECT wipes production data, recovery depends solely on clean backups. Second, endpoint detection and response (EDR) solutions can identify the unique encryption behavior (e.g., high I/O to large files without proper validation). Third, network segmentation limits the ransomware's lateral movement and access to high-value storage. Fourth, patching and vulnerability management reduce initial access vectors exploited by supply-chain attacks linked to TeamPCP. Finally, user awareness training helps prevent phishing that may deliver VECT loaders. Note that paying the ransom does not help with VECT because decryption is impossible; focus should be on prevention and recovery from backups rather than negotiation.