Vect ransomware activity with cross-platform encryption and double extortion
Malware Activity
Summary
Hide ▲
Show ▼
Security researchers say Vect is a new ransomware-as-a-service (RaaS) operation that has already claimed victims in Brazil and South Africa. Its malware targets Windows, Linux and VMware ESXi, uses ChaCha20-Poly1305 with intermittent encryption, and runs in Safe Mode to suppress security tools. The group is also using a double extortion model and recruiting affiliates, suggesting it is preparing for broader expansion.
Related Happenings
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor Meta
First: 28.04.2026 16:00
Last: 28.04.2026 16:00
Sources 1
About this happening:
**0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor MetaAbout this happening: **0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
Timeline
-
03.02.2026 16:00 2 articles · 3mo ago
Vect RaaS disclosed with cross-platform ransomware and double extortion
Initial DisclosureVect is described as a new ransomware-as-a-service operation that began recruiting affiliates in December 2025, had already claimed victims in Brazil and South Africa, and used custom C++ ransomware targeting Windows, Linux and VMware ESXi with ChaCha20-Poly1305, intermittent encryption, Safe Mode execution to suppress security tools, and a double extortion model backed by TOR, Monero, and TOX-based affiliate communications.
Show sources
- Researchers Warn of New “Vect” RaaS Variant — www.infosecurity-magazine.com — 03.02.2026 16:00
- Researchers Warn of New “Vect” RaaS Variant — www.infosecurity-magazine.com — 03.02.2026 16:00