Rawf8 - stock.adobe.com
Vect ransomware actually destructive wiper malware
Analysis of a new form of ransomware called Vect has uncovered a serious flaw that breaks its core functionality and turns it from a locker to a wiper.
The authors of a new strain of ransomware called Vect are drawing attention thanks to a partnership with the TeamPCP gang and an ambitious collaboration with BreachForums that has seen every registered member of the forum given free access to their platform, but according to malware analysts, its bluster is masking a dangerous secret.
Analysts at Check Point Research (CPR) have been digging into Vect, which surfaced towards the end of 2025, and say they have now found a serious encryption flaw in the locker – which ultimately causes it to act not as an encryptor, but as a data wiper.
Traditionally, the whole point of ransomware is that classically, its effects are reversible. A cyber criminal encrypts and locks the victim’s files and in theory, hands over the decryption key once they are paid off. In the real world this does not always happen, which is why all major authorities on ransomware concur that ideally, victims should never pay.
Howeve, Vect blows the ransomware ‘business model’ to smithereens. The CPR team found that when Vect encounters a file of over 128KB in size – which in an enterprise context means most files including virtual machine images, databases, backups and archives – it not only encrypts them but permanently discards the information needed to reverse the process.
This means that even if the cyber criminals are paid, they cannot hand over a working decryptor – not through malice but because it isn’t possible to do so.
“Vect is being marketed as ransomware, but for any file over 128KB, which is most of what enterprises actually care about, it functions as a data destruction tool,” said Eli Smadja, general manager at CPR.
“CISOs need to understand that in a Vect incident, paying is not a recovery strategy. There is no decryptor that can be handed over, not because the attackers are unwilling, but because the information required to build one was destroyed the moment their software ran. The focus has to be on resilience: offline backups, tested recovery procedures, and rapid containment, not negotiation.”
The flaw has been present since before the public 2.0 release of Vect and as of the time of writing, does not seem to have been fixed. It affects all three versions targeting ESXi, Linux and Windows, said CPR
Coding cockup?
CPR said that it was clear that Vect was heavily invested in looking legitimate, with a well-designed affiliate panel and genuine partnerships reflecting a polished marketing strategy.
But in other aspects the people behind it appear to have been less diligent. The analysts said they found several advertised features of Vect that simply don’t work. For example, the authors offer encryption speed settings as a way to balance speed and thoroughness of attack execution, but these are non-functional.
Nor do a number of advertised security evasion tools, which although built and compiled into the ransomware, don’t actually activate. This has the pleasant side effect that any security researcher who cares to can run Vect in a sandbox without drawing an evasive response – making analysis a little easier.
“These are not minor oversights,” the team wrote. “They are the kinds of errors that basic testing would catch, and they suggest a group that has prioritised the appearance of a professional operation over building one.”
CPR said there was also evidence that Vect may have been build on a leaked ransomware codebase dating from early 2022 at the latest and not written from scratch as it claims. The big giveaway here is that Vect does not attack targets in Ukraine, a country that most Russian-speaking gangs stopped shielding after the outbreak of war. That that exclusion is retained suggests the codebase may be much older.
Next steps
Despite its noisy debut, Vect’s dark web leak site lists very few victims – all obtained via TeamPCP’s earlier compromise of Aqua Security’s Trivy vulnerability scanner – so it is unclear how widespread the gang’s activities are at this stage.
Nevertheless, CPR’s advice to victims is crystal clear – do not pay a ransom under any circumstances, you are 100% guaranteed to get nothing in return. The focus should be on recovery through other means, such as restoring from clean backups.
Any organisations that may be exposed to TeamPCP’s spate of supply chain attacks – which also encompass other tools from KICS, LiteLLM and Telnyx – should investigate their estates and rotate their credentials immediately.
For those that have not been hit, CPR noted that even though Vect has its flaws it is not harmless. The gang can still steal important data, systems can still be downed, and it is possible for the flaws to be fixed, which would make it much more dangerous. “This group is worth watching,” said the team.
Read more about ransomware
- Scattered Spider’s alliances with ransomware-as-a-service gangs act as a force multiplier for the scope, and number, of its cyber attacks, according to NCC Group analysts.
- Supply chain attacks, triple extortion, GenAI and RaaS are some of the ransomware trends that will continue to disrupt businesses in 2026. Is your industry a top target?
- A ransomware gang called 0APT has attracted attention, but many of its victims may not even be real, and its operators are being accused of over-egging their criminal pudding.
