Threat Research

Inside Vect Ransomware-as-a-Service

LevelBlue-spiderlabs
Inside Vect Ransomware-as-a-Service
Vect is a newly observed RaaS operation that has rapidly expanded through strategic partnerships with TeamPCP and BreachForums and supports multi-platform payloads for Windows, Linux, and ESXi. Analysis shows extensive lateral movement, credential reuse, obfuscation, ChaCha20 encryption with “.vect” file extension, and potential links to Devman based on strings and ransom note similarities. #Vect #TeamPCP

Keypoints

  • Vect emerged in January 2026 and runs an open affiliate program that accepts new members via invite codes or automatic keys distributed through BreachForums.
  • Strategic partnership with TeamPCP (linked to supply chain compromises of Trivy, KICS, LiteLLM, and Telnyx SDK) increases Vect’s potential reach and sophistication.
  • Vect publishes victims on a leak site and maintains an X account for claims; 25 victims have been posted so far with the U.S. and the Technology sector most targeted.
  • Affiliates generate payloads from a builder supporting Windows, Linux, and ESXi, with features for lateral movement, credential override, and multiple encryption modes.
  • Windows sample uses obfuscated strings (rotating XOR), multiple lateral movement methods (RDP, SMB, WinRM, PSExec, Scheduled Tasks via CIM), and hardcoded Base64 credentials that can be overridden at runtime.
  • Linux/ESXi variants implement geo-fencing to avoid CIS/post‑Soviet regions, terminate security/backup/database processes, and ESXi can terminate running VMs before encryption.
  • Evidence of a possible connection to Devman appears in compiled strings, debug logs, and ransom-note similarities, warranting further investigation.

MITRE Techniques

  • [T1021 ] Remote Services – Used multiple remote service methods for lateral movement, including RDP, SMB, WinRM, PSExec, and SSH (‘RDP – copies itself to each domain computer, then stores credentials via cmdkey’).
  • [T1053.005 ] Scheduled Task/Job – Registers randomly named scheduled tasks via CIM sessions to execute payloads remotely and remove artifacts (‘Scheduled Task via CIM – copies itself to each target, registers a randomly named Scheduled Task running as SYSTEM via CIM session’).
  • [T1047 ] Windows Management Instrumentation (WMI) – Interacts with WMI over WinRM using New-CimSession to deploy and execute tasks remotely (‘It uses New-CimSession to interact directly with WMI over WinRM.’).
  • [T1078 ] Valid Accounts – Uses hardcoded and panel-configurable credentials for lateral movement and execution, with an override parameter (–creds) to supply credentials at runtime (‘All spread functions take advantage of hardcoded Base64-encoded credentials embedded within the sample, which can be customized on the panel or overridden at execution using the “–creds” parameter.’).
  • [T1552.001 ] Credentials in Files – Hardcoded Base64-encoded credentials embedded within the sample facilitate access and propagation (‘hardcoded Base64-encoded credentials embedded within the sample’).
  • [T1027 ] Obfuscated Files or Information – Strings are stored as encrypted bytes and decoded at runtime using a rotating XOR routine to hinder analysis (‘the sample implements obfuscated strings… assembled and decoded at runtime using rotating XOR’).
  • [T1486 ] Data Encrypted for Impact – Encrypts victim files using ChaCha20 and appends the “.vect” extension to encrypted files before dropping ransom notes (‘encrypts files using ChaCha20 and appends the “.vect” extension to each encrypted file’).
  • [T1490 ] Inhibit System Recovery – Terminates security, backup, and database processes (pkill -9) and, for ESXi, kills running VMs to ensure files are accessible for encryption (‘Before encrypting, the malware terminates security, backup, and database processes using “pkill -9”…’ and ‘ESXi… enumerate and terminate all running virtual machines… ensuring their disk images are unlocked and available for encryption.’).
  • [T1569.002 ] Service Execution – Creates and executes randomly named services via sc.exe (then deletes them) to run payloads on remote hosts (‘PSExec – copies itself to each target, creates a randomly named service via sc.exe to execute the payload, then deletes the service to minimize traces’).

Indicators of Compromise

  • [SHA1 ] Vect sample hashes – e27f4feffc1ba6bf4e35aec4a5270fccb636e5cf, f4b904fb6ba8474cb87f26302b74c4b82c106003, and 4 more hashes.
  • [SHA1 ] ESXi/Linux sample hashes – 69aa94434f545b41198b7d21f9acc71457584e62 (ESXi), 488ed9ff65652a738042d93678591a579714a791 (Linux).
  • [File extension ] Encrypted file extension used by Vect – .vect (appended to encrypted files and referenced in ransom notes).
  • [Platform account ] Public leak and claim channels – Vect leak site (25 victims published; first posted Jan 5) and Vect account on X (formerly Twitter) used to announce victims and claims.
  • [Processes/Applications targeted ] Processes and services terminated prior to encryption – examples include CrowdStrike Falcon, Veeam, and other security/backup/database applications listed in the article.

Read more: https://www.levelblue.com/blogs/spiderlabs-blog/inside-vect-ransomware-as-a-service

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint