- Vect 2.0 ransomware contains a critical flaw that permanently destroys files over 128KB instead of encrypting them.
- Check Point Research found the bug discards three of four decryption nonces, making files unrecoverable by anyone—including the attackers themselves.
- The ransomware, linked to the TeamPCP threat group behind the Trivy and LiteLLM supply-chain attacks, advertises itself as ransomware but functions as a wiper.
Somewhere in the ransomware-as-a-service supply chain, someone made a catastrophic coding error. Vect 2.0, a ransomware operation that launched in December 2025 and quickly partnered with the TeamPCP group responsible for major supply-chain attacks, contains a flaw that permanently destroys large files rather than encrypting them. Organizations hit by this bug can’t recover their data—even if they pay the ransom.
Check Point Research discovered the flaw while analyzing Vect 2.0’s three lockers, built for Windows, Linux, and VMware ESXi hypervisors. The bug is straightforward and devastating: for every file above 131,072 bytes (128KB), the encryption routine generates four independent nonces—one-time secret numbers required to decrypt each chunk—but stores only the fourth one on disk. The other three are generated, used once, and silently discarded. No backup. No registry entry. No transmission to the operator.
“Since the vast majority of operationally critical files exceed this ‘large-size’ threshold, Vect 2.0 functions in practice as a data wiper with a ransomware facade,” wrote Check Point researcher Eli Smadja. “Victims who pay the ransom cannot receive a working decryptor for their largest files, not through operator deception, but through mathematical certainty.”
A RaaS Operation That Can’t Decrypt Its Own Victims
The root cause is a mismatch between what Vect claims to use and what it actually deploys. Vect’s advertisements and some threat intelligence reports list ChaCha20-Poly1305 AEAD—an authenticated encryption scheme that provides both confidentiality and integrity protection. In reality, Check Point found raw ChaCha20-IETF (RFC 8439) with no authentication and no integrity checking. “There is no Poly1305 MAC and no integrity protection,” the researchers noted. “This effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as virtual machine disks, databases, documents and backups included.”
The flaw is identical across all three platform variants—Windows, Linux, and ESXi—all sharing an identical encryption design built on the libsodium library, the same file-size thresholds, the same four-chunk logic, and the same nonce-handling failure. Check Point confirmed this represents “a single codebase ported across platforms.” The RaaS operation announced in March 2026 that it was partnering with TeamPCP, the group behind supply-chain attacks on Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx. It also announced a partnership with BreachForums that granted every registered forum user access to the ransomware, negotiation platform, and leak site.
For defenders, the implications cut both ways. Organizations with robust offline backup infrastructure are in a better position than they might expect—since the attacker can’t decrypt the files they’re destroying, paying the ransom offers no recovery advantage. But victims who lack offline backups face total data loss with no recourse. The wiper functionality also makes attribution harder, as nation-state actors have increasingly adopted wiper malware to create ambiguity and deny investigators forensic evidence.
Check Point first documented Vect in January 2026 after it appeared on a Russian-language cybercrime forum in December 2025. The full technical report on the encryption flaw was published April 28, 2026.