Threat Research

VECT: Ransomware by design, Wiper by accident

Checkpoint
VECT: Ransomware by design, Wiper by accident
Check Point Research discovered that VECT 2.0’s encryption implementation permanently destroys files larger than 131,072 bytes by using four per-chunk ChaCha20-IETF nonces but appending only the final nonce, making recovery impossible even for the attacker. The flaw is identical across Windows, Linux, and ESXi variants built from a single libsodium-based codebase and is accompanied by other implementation errors such as misidentified cipher, parsed-but-ignored speed flags, excessive threading, and unreachable anti-analysis routines. #VECT #TeamPCP

Keypoints

  • VECT 2.0 encrypts files with raw ChaCha20-IETF (no Poly1305 MAC) and appends only a single 12-byte nonce for large files, discarding the other three nonces and rendering most large files irrecoverable.
  • The critical nonce-handling bug affects all three platform variants (Windows, Linux, ESXi) because they share a single libsodium-based codebase and identical four-chunk logic.
  • Advertised encryption speed modes (–fast, –medium, –secure) are parsed but never implemented; every run uses the same hardcoded thresholds (128 KB boundary, 32 KB chunk size).
  • VECT’s operational features include an affiliate builder panel, multi-platform payloads, lateral movement options (WMI, DCOM, SMB, SSH, scheduled tasks, PowerShell remoting), and a partnership announcement with TeamPCP and BreachForums.
  • Multiple additional implementation flaws exist: excessive thread counts that degrade performance, unreachable anti-analysis routines compiled but never invoked, self-cancelling string obfuscation, and other design oversights.
  • Because most critical enterprise artifacts (VM disks, databases, backups, documents) exceed 128 KB, VECT 2.0 functions in practice as a wiper rather than recoverable ransomware; paying ransom cannot restore destroyed data.

MITRE Techniques

  • [T1486 ] Data Encrypted for Impact – VECT performs in-place encryption of files using ChaCha20-IETF as its primary disruptive action (‘the entire content is encrypted in a single pass’ / ‘per-chunk encryption helper’ for large files).
  • [T1485 ] Data Destruction – Due to the nonce-handling bug VECT permanently destroys large files rather than enabling decryption (‘permanently and irrecoverably destroyed rather than encrypted’).
  • [T1047 ] Windows Management Instrumentation – The Windows variant uses WMI for lateral movement and remote execution (‘Methods include: admin share file copy, Windows Credential Manager storage via cmdkey, WMI execution, DCOM/MMC application instantiation’).
  • [T1021.002 ] SMB/Windows Admin Shares – VECT spreads via administrative share copy and SMB-based lateral movement (‘Methods include: admin share file copy… and network-accessible storage’).
  • [T1053.005 ] Scheduled Task/Job – The locker can create remote scheduled tasks for execution on other hosts (‘remote scheduled task creation’).
  • [T1021.004 ] SSH – Linux/ESXi variants support SSH-based lateral movement and use scp/ssh to copy and execute payloads on reachable hosts (‘the locker tries to connect… copies itself over via scp and executes itself via ssh’).
  • [T1562.001 ] Disable Windows Defender – The Windows variant disables Defender via PowerShell commands (‘Set-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning’).
  • [T1070.001 ] Clear Windows Event Logs – The malware clears event logs as part of cleanup and anti-forensics (‘wevtutil cl Application, Security, System, Windows PowerShell’).
  • [T1490 ] Inhibit System Recovery – VECT deletes shadow copies to prevent recovery (‘vssadmin delete shadows /all /quiet’).
  • [T1543.003 ] Create or Modify System Process: Windows Service – The Windows variant implements safe-mode persistence by writing its executable into the registry service load path to run in safe mode (‘writes its own executable path into the Windows registry under the safe-boot service load path with value “Service”‘).
  • [T1552.001 ] Credentials from Files – The ESXi/Linux variants harvest SSH keys and parse ssh_config to enable lateral movement (‘All readable keys from the home and /root directories are extracted’ and ‘/etc/ssh/ssh_config and ~/.ssh/config are read and parsed’).

Indicators of Compromise

  • [File Hashes ] VECT sample SHA-256 hashes from report – 9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f (Windows), 8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d (Linux), and 4 more hashes.
  • [File Names / Extensions ] Ransom artefacts and encrypted files – !!!READ_ME!!!.txt (ransom note), dvm3_wall.bmp (branded wallpaper), .vect (encrypted file extension).
  • [Domains / Onion ] Ransom contact and leak site – vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion/chat/REDACTED (Tor chat URL shown in ransom note).
  • [Processes & Services ] Targeted processes/services (context: terminated to release locks before encryption) – sql.exe, oracle.exe, mysqld.exe, and many database/backup/security services (see report list).
  • [Paths / Targets ] Default target locations – Windows: all drives (logical, removable, network); ESXi default: /vmfs/volumes; Linux default: / (root).

Read more: https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint