VECT 2.0 ransomware-branded file destruction malware
Malware Activity
Summary
Hide ▲
Show ▼
The VECT 2.0 malware now behaves like a wiper rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive flaw affects Windows, Linux, and ESXi variants, and files over 131,072 bytes become unrecoverable even if ransom is paid. The Windows build adds anti-analysis, safe-mode persistence, and lateral spread features, while the ESXi build uses geofencing and anti-debugging checks.
Related Happenings
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
How related:
Specifically, the researchers said that the cipher used in the ransomware encryption system is raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in the group’s initial advertisements of its product and mentioned in some threat intelligence reports.
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisHow related: Specifically, the researchers said that the cipher used in the ransomware encryption system is raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in the group’s initial advertisements of its product and mentioned in some threat intelligence reports.
About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Kyber ransomware targeting Windows and VMware ESXi
Malware Activity
First: 22.04.2026 21:52
Last: 22.04.2026 21:52
Sources 1
About this happening:
**Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Kyber ransomware targeting Windows and VMware ESXi
Malware ActivityAbout this happening: **Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
NAKIVO Backup & Replication v11.2 general-availability release adds ransomware defense and secure email auth
Security Tool/Service
First: 18.04.2026 16:45
Last: 18.04.2026 16:45
Sources 1
About this happening:
**NAKIVO Backup & Replication v11.2** is now generally available, adding **ransomware-resilience controls**, **OAuth 2.0 email authentication**, and expanded **VMware vSphere 9**...
NAKIVO Backup & Replication v11.2 general-availability release adds ransomware defense and secure email auth
Security Tool/ServiceAbout this happening: **NAKIVO Backup & Replication v11.2** is now generally available, adding **ransomware-resilience controls**, **OAuth 2.0 email authentication**, and expanded **VMware vSphere 9**...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Timeline
-
28.04.2026 17:01 2 articles · 29d ago
VECT 2.0 analysis shows large-file destruction across Windows, Linux, and ESXi
Technical Analysis UpdateCheck Point Research says VECT 2.0 functions like a wiper rather than recoverable ransomware across Windows, Linux, and ESXi because files larger than 131,072 bytes lose the nonce material needed for decryption, making ransom payment ineffective. The operation's affiliate program first launched in December 2025, and its current data leak site lists only two victims said to have been compromised through TeamPCP supply-chain attacks.
Show sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01
- Critical Flaw Turns Vect Ransomware into Data Destroying Wiper — www.infosecurity-magazine.com — 29.04.2026 13:45