VECT 2.0 Ransomware Operation Degrades to Irreversible Data Destruction Due to Critical Encryption Flaw
Summary
Hide ▲
Show ▼
A newly observed variant of the VECT ransomware (VECT 2.0) irretrievably destroys files larger than 131KB on Windows, Linux, and ESXi systems due to a fundamental design flaw in its encryption implementation. The flaw causes the malware to discard critical decryption metadata (nonces) for 75% of affected files, rendering recovery impossible regardless of ransom payment. Security researchers characterize the operation as a data wiper masquerading as ransomware, emphasizing that negotiating with threat actors offers no recovery path. VECT 2.0 operates as a ransomware-as-a-service (RaaS) scheme with a $250 Monero entry fee (waived for Commonwealth of Independent States affiliates) and has formed partnerships with BreachForums and TeamPCP to facilitate data exfiltration and affiliate recruitment.
Timeline
-
28.04.2026 17:01 1 articles · 3h ago
VECT 2.0 Ransomware Variant Fails as Encryption Tool, Acts as Irreversible Data Wiper
Analysis reveals VECT 2.0 irretrievably destroys files exceeding 131KB due to discarded decryption nonces during encryption, eliminating recovery options. The Windows variant includes anti-analysis, safe-mode persistence, and lateral movement features, while ESXi/Linux variants share code and enforce CIS geofencing exclusions. The RaaS operation, priced at $250 Monero for affiliates, has partnered with BreachForums and TeamPCP.
Show sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01
Information Snippets
-
VECT 2.0 destroys files larger than 131,072 bytes permanently by encrypting four independent chunks per file but discarding the first three 12-byte nonces required for decryption, leaving only the final nonce stored on disk.
First reported: 28.04.2026 17:011 source, 1 articleShow sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01
-
The malware uses an unauthenticated, weaker cipher instead of the claimed ChaCha20-Poly1305 AEAD, lacking integrity protection and enabling irreversible corruption of large files.
First reported: 28.04.2026 17:011 source, 1 articleShow sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01
-
Windows variant of VECT 2.0 includes anti-analysis features targeting 44 security/debugging tools, safe-mode persistence via registry modification, and lateral movement templates for script-based execution.
First reported: 28.04.2026 17:011 source, 1 articleShow sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01
-
ESXi and Linux variants share code and enforce geofencing to exclude CIS countries (including Ukraine) from encryption, a behavior uncommon in modern RaaS operations post-2022.
First reported: 28.04.2026 17:011 source, 1 articleShow sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01
-
VECT 2.0 requires a $250 Monero fee for new affiliates, with waivers for Commonwealth of Independent States applicants, and has partnered with BreachForums and TeamPCP to weaponize stolen credentials.
First reported: 28.04.2026 17:011 source, 1 articleShow sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01
-
Analysts assess VECT 2.0 operators as novice actors, possibly leveraging AI-generated code, despite the operation’s polished RaaS infrastructure and multi-platform targeting.
First reported: 28.04.2026 17:011 source, 1 articleShow sources
- VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi — thehackernews.com — 28.04.2026 17:01