Vect 2.0 ransomware wiper-flaw activity
Malware Activity
Summary
Hide ▲
Show ▼
The Vect 2.0 ransomware variant now permanently destroys large files instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects versions for Windows, Linux, and VMware ESXi and makes the malware behave like a wiper for data above 128 KB. Because the encryption metadata is discarded, even a working decryptor cannot restore the largest files. The issue raises the stakes for organizations that depend on large operational files, databases, documents, and backups.
Related Happenings
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
How related:
The flaw exists because, according to Vect's ChaCha20-IETF encryption scheme, the malware encrypts four independent chunks of each "large file" using four freshly generated random 12 byte nonces, but appends only the final nonce to the specific encrypted file on disk, according to Check Point.
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisHow related: The flaw exists because, according to Vect's ChaCha20-IETF encryption scheme, the malware encrypts four independent chunks of each "large file" using four freshly generated random 12 byte nonces, but appends only the final nonce to the specific encrypted file on disk, according to Check Point.
About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Kyber ransomware targeting Windows and VMware ESXi
Malware Activity
First: 22.04.2026 21:52
Last: 22.04.2026 21:52
Sources 1
About this happening:
**Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Kyber ransomware targeting Windows and VMware ESXi
Malware ActivityAbout this happening: **Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Lotus Wiper destructive activity against Venezuelan energy systems
Malware Activity
First: 22.04.2026 13:55
Last: 22.04.2026 13:55
Sources 1
About this happening:
Researchers uncovered **Lotus Wiper**, a **previously undocumented data wiper**, in **destructive attacks** against **Venezuela**. The operation targeted the **energy and utilitie...
Lotus Wiper destructive activity against Venezuelan energy systems
Malware ActivityAbout this happening: Researchers uncovered **Lotus Wiper**, a **previously undocumented data wiper**, in **destructive attacks** against **Venezuela**. The operation targeted the **energy and utilitie...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Timeline
-
29.04.2026 18:23 2 articles · 28d ago
Vect 2.0 ransomware wiper-flaw activity
Initial DisclosureVect 2.0 emerged as a ransomware-as-service operation **last December** and began claiming victims in **January 2026**. The current phase exposes a destructive encryption bug that turns the malware into a de facto wiper for large files on multiple platforms.
Show sources
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error — www.darkreading.com — 29.04.2026 18:23
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error — www.darkreading.com — 29.04.2026 18:23