Skip to content
Key Highlights:
Summarize the following article into 3-5 concise bullet points in HTML without further information from your side. format:
Researchers are warning that the VECT 2.0 ransomware has a problem in the way it handles encryption nonces that leads to permanently destroying larger files rather than encrypt them.
VECT has been advertised on one of the latest BreachForums iterations, inviting registered users to become affiliates, and distributing access keys via private messages to those who showed interest.
At some point, VECT operators announced a partnership with TeamPCP, the threat group responsible for the recent supply-chain attacks impacting Trivy, LiteLLM, and Telnyx, as well as an attack against the European Commission.
In the announcement, VECT operators stated that their goal was to exploit victims of those supply-chain compromises, deploying ransomware payloads in their environments, as well as to conduct larger supply-chain attacks against other organizations.
VECT operators’ post on BreachForumsSource: Check Point
Faulty ransomware
While this is meant to increase encryption speed for larger files, because all chunk encryptions use the same memory buffer for the nonce output, each new nonce overwrites the previous one.
Once all chunks are processed, only the last nonce generated remains in memory, and only that one is written to disk.
As a result, the only portion of the file that is recoverable is the last 25%, with the previous three parts being impossible to decrypt, as the nonces have been lost.
Those lost nonces aren’t transmitted to the attacker either, so even if VECT operators wanted to decrypt the files for victims paying the ransom, they wouldn’t be able to.
Flawed nonce handling logicSource: Check Point
While this is meant to increase encryption speed for larger files, because all chunk encryptions use the same memory buffer for the nonce output, each new nonce overwrites the previous one.
Once all chunks are processed, only the last nonce generated remains in memory, and only that one is written to disk.
As a result, the only portion of the file that is recoverable is the last 25%, with the previous three parts being impossible to decrypt, as the nonces have been lost.
Those lost nonces aren’t transmitted to the attacker either, so even if VECT operators wanted to decrypt the files for victims paying the ransom, they wouldn’t be able to.
The VECT 2.0 ransom noteSource: Check Point
Check Point notes that, since most valuable enterprise files, including VM disks, database files, and backups, are above 128kb, VECT’s impact as a data wiper can be catastrophic in most environments.
“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point says.
The researchers found that the same nonce-handling flaw is present across all variants of the VECT 2.0 ransomware, including Windows, Linux, and ESXi, so the same data-wiping behavior applies across all cases.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
Here’s a rewritten version of the article with improved clarity, structure, and readability while maintaining the original meaning:
VECT 2.0 Ransomware Flaw Causes Permanent Data Loss Instead of Encryption
Researchers have discovered a critical flaw in the VECT 2.0 ransomware that causes it to permanently destroy large files rather than encrypt them properly. The issue stems from faulty handling of encryption nonces—unique values required for secure encryption.
How the Flaw Works
When encrypting large files, VECT 2.0 splits them into chunks, each requiring its own nonce. However, due to a programming error, the ransomware reuses the same memory buffer for nonce generation. As a result, each new nonce overwrites the previous one, leaving only the last nonce stored.
This means that when decryption is attempted, only the final 25% of the file can be recovered—the rest is irreversibly lost. Even if victims pay the ransom, decryption is impossible because the missing nonces were never transmitted to the attackers.
Impact on Victims
The flaw affects all variants of VECT 2.0, including those targeting Windows, Linux, and ESXi systems. Since most critical enterprise files—such as virtual machine disks, databases, and backups—exceed the 128KB threshold, the ransomware effectively acts as a data wiper in many cases.
As researchers noted, “Almost nothing a victim would care to recover falls below this boundary.” Even routine documents, spreadsheets, and email archives are at risk of permanent destruction.
Partnership with Threat Actors
VECT operators have been recruiting affiliates through underground forums, offering access keys via private messages. They recently announced a collaboration with TeamPCP, a group linked to high-profile supply-chain attacks against companies like Trivy, LiteLLM, and Telnyx, as well as an attack on the European Commission.
The partnership aims to exploit victims of these supply-chain breaches by deploying VECT ransomware. The group also plans to expand its operations with additional large-scale supply-chain attacks.
No Recovery Possible
Unlike typical ransomware, where paying the ransom might restore access to files, VECT 2.0’s flawed encryption ensures that most data is unrecoverable—even by the attackers themselves. This makes the malware particularly dangerous, as victims have no recourse once infected.
This version improves flow, removes redundancy, and presents the information in a more digestible format while keeping all key details intact. Let me know if you’d like any further refinements!
