7 Critical Flaws in VECT Ransomware That Turn It Into a Data Wiper

When ransomware fails to do its job, victims usually cheer. But the VECT ransomware’s failure is so catastrophic that it permanently destroys data instead of holding it for ransom. What was marketed as a polished RaaS (Ransomware-as-a-Service) actually harbors a critical encryption flaw that makes full recovery impossible—for anyone, including the attackers themselves. Here are the seven key facts you need to understand about this bizarrely broken malware.

1. The Nonce Flaw: Why Files Over 128 KB Are Wiped, Not Encrypted

At the heart of VECT is a design blunder that turns the ransomware into a wiper. For any file larger than 131,072 bytes (128 KB), the encryption implementation throws away three out of four decryption nonces. Without these nonces, the encryption key becomes useless. The attacker doesn’t have a backup, and no amount of brute force can recover the data. This threshold is dangerously low—meaning virtually every meaningful file, from VM disks and databases to documents and backups, gets permanently destroyed. Check Point Research confirmed this flaw exists in all known VECT versions across every platform.

7 Critical Flaws in VECT Ransomware That Turn It Into a Data Wiper — Source: research.checkpoint.com

2. Misidentified Encryption: It’s Not ChaCha20-Poly1305

Multiple threat intelligence reports—and even VECT’s own advertisement—claimed the ransomware used ChaCha20-Poly1305 AEAD (Authenticated Encryption with Associated Data). That is incorrect. VECT actually uses raw ChaCha20-IETF (RFC 8439) with no authentication layer at all. There is no Poly1305 MAC, no integrity protection, and no mechanism to detect tampering. This misidentification led analysts to believe the encryption was state-of-the-art, when in fact it lacks basic safeguards that could have prevented the nonce disaster—or at least allowed partial recovery.

3. Speed Modes That Are Completely Ignored

The Windows, Linux, and ESXi variants of VECT all advertise command-line flags such as --fast, --medium, and --secure, supposedly letting operators choose between encryption performance and thoroughness. However, these options are parsed and then silently ignored. Every execution uses the same hardcoded thresholds and encryption parameters, regardless of which flag the operator selected. This means the “fast” mode doesn’t exist, and the “secure” mode offers no extra security—it’s all a facade.

4. One Flawed Engine Across Three Platforms

VECT targets Windows, Linux, and ESXi, but under the hood, every variant shares an identical encryption engine built on libsodium. The same file-size thresholds, the same four-chunk encryption logic, and the same nonce-handling bug appear in all three. This is not a case of separate ports gone wrong—it’s a single codebase compiled for different operating systems. The flaw is therefore universal, and any fix would have to be applied to all platforms simultaneously, which VECT’s developers have not done.

5. Professional Façade, Amateur Execution

Beyond the headline nonce issue, Check Point Research uncovered a laundry list of programming failures. These include self-cancelling string obfuscation that effectively does nothing, permanently unreachable anti-analysis code that never executes, and a thread scheduler that actually slows down encryption instead of speeding it up. The malware’s source code gives the impression of a skilled developer, but the runtime behavior screams careless implementation. Combined, these bugs make VECT one of the most poorly executed ransomware variants in recent memory.

6. Background: VECT’s RaaS Model and the TeamPCP Partnership

VECT first appeared in December 2025 on a Russian-language cybercrime forum, operating as a RaaS program. After claiming its first victims in January 2026, it gained notoriety by partnering with TeamPCP—the group behind supply-chain attacks in March 2026 that injected malware into popular tools like Trivy, KICS, LiteLLM, and Telnyx. This partnership, announced on BreachForums, aimed to exploit companies already compromised by those supply-chain incidents. Additionally, VECT promised every registered BreachForums user the chance to become an affiliate, gaining full access to the ransomware, negotiation platform, and leak site. The ambition was high, but the technical execution fell flat.

7. What This Means for Victims and the Ransomware Ecosystem

For victims, the most important takeaway is that paying the ransom will not restore their data. The nonce flaw makes decryption impossible even for the malware’s authors. This makes VECT a pure wiper, not a ransomware operation. For the broader cybercrime ecosystem, VECT serves as a cautionary tale: even a polished RaaS front can hide catastrophic coding errors. Organizations hit by VECT should not negotiate—they should focus on recovery from clean backups (if any exist) and report the incident to law enforcement. The partnership with BreachForums and TeamPCP shows that threat actors are still willing to collaborate, but quality control remains sorely lacking.

In conclusion, VECT ransomware is a textbook example of how a single oversight can turn a profit-driven attack into a destructive one. The nonce bug alone makes it a wiper by accident, and the combination of misidentified ciphers, useless speed modes, and amateur coding ensures that no one—least of all the attackers—benefits from its spread. Understanding these flaws is essential for defenders tasked with protecting enterprise data from this uniquely broken threat.

Tags: