Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
Summary
Hide ▲
Show ▼
Vect 2.0 ransomware was shown to use raw ChaCha20-IETF (RFC 8439) without authentication, causing files above 128 KB to be permanently destroyed across Windows, Linux and ESXi variants. That turns the locker into a wiper for many enterprise files, including VM disks, databases and backups. The flaw undercuts the group’s encryption claims and makes recovery impossible for affected large files.
Related Happenings
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
How related:
The Vect 2.0 variant of the ransomware-as-service (RaaS) operation, which first appeared last December, has a flaw across its versions for Windows, Linux, and VMware ESXi that inadvertently and permanently destroys so-called "large files" rather than encrypting them, according to a report published this week by Check Point Software.
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityHow related: The Vect 2.0 variant of the ransomware-as-service (RaaS) operation, which first appeared last December, has a flaw across its versions for Windows, Linux, and VMware ESXi that inadvertently and permanently destroys so-called "large files" rather than encrypting them, according to a report published this week by Check Point Software.
About this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
How related:
Vect 2.0 ransomware has been found to wipes large, compromised files instead of merely encrypting them, making recovery impossible – even for the attackers.
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityHow related: Vect 2.0 ransomware has been found to wipes large, compromised files instead of merely encrypting them, making recovery impossible – even for the attackers.
About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Kyber ransomware targeting Windows and VMware ESXi
Malware Activity
First: 22.04.2026 21:52
Last: 22.04.2026 21:52
Sources 1
About this happening:
**Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Kyber ransomware targeting Windows and VMware ESXi
Malware ActivityAbout this happening: **Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Timeline
-
29.04.2026 13:45 2 articles · 28d ago
Check Point Research discloses Vect 2.0 file-destruction flaw
Initial DisclosureCheck Point Research disclosed that Vect 2.0 ransomware uses raw ChaCha20-IETF (RFC 8439) without authentication, causing files above 131,072 bytes (128 KB) to be permanently destroyed instead of encrypted across Windows, Linux and VMware ESXi variants. The researchers said the same nonce-handling flaw and missing integrity protection are present across publicly available Vect versions, turning the locker into a wiper for large enterprise files such as VM disks, databases, documents and backups.
Show sources
- Critical Flaw Turns Vect Ransomware into Data Destroying Wiper — www.infosecurity-magazine.com — 29.04.2026 13:45
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error — www.darkreading.com — 29.04.2026 18:23