Full Report
'Full recovery is impossible for anyone, including the attacker'
Analysis Summary
# Incident Report: Vect "Ransomware" Supply-Chain Campaign
## Executive Summary
Organizations globally have been targeted by the Vect cybercrime group following a series of supply-chain compromises involving developer tools. Investigation reveals that the Vect malware is a functionally flawed "wiper" disguised as ransomware, which permanently destroys files larger than 128KB due to amateur coding errors. Consequently, full data recovery is impossible regardless of whether a ransom is paid.
## Incident Details
- **Discovery Date:** April 2026 (Detailed analysis by Check Point Research)
- **Incident Date:** Ongoing since January 2026; escalation in March 2025
- **Affected Organizations:** At least 25 organizations listed; victims include Guesty and S&P Global (unverified claims)
- **Sector:** Technology, Finance, Hospitality (spanning multiple sectors)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026 (Supply chain phase)
- **Vector:** Supply Chain Compromise
- **Details:** Attackers (TeamPCP) infected security and developer tools, including **Trivy** and **LiteLLM**, with self-propagating credential-stealing malware.
### Lateral Movement
- **Details:** The initial credential-stealing malware facilitated follow-on access for the Vect group to deploy their ransomware payload across impacted networks, including ESXi environments and Windows/Linux servers.
### Data Exfiltration/Impact
- **Details:** Attackers claim to have exfiltrated massive datasets (e.g., 700GB from Guesty, 250GB from S&P Global). More critically, the Vect payload systematically destroyed all files over 128KB.
### Detection & Response
- **Discovery:** Analysts at Check Point Research obtained the Vect ransomware builder via BreachForums to perform reverse engineering.
- **Response Actions:** Public disclosure of the "wiper" nature of the malware to prevent victims from making useless ransom payments.
## Attack Methodology
- **Initial Access:** Supply chain compromise of developer and security tools (Trivy, LiteLLM).
- **Persistence:** Not explicitly detailed, but likely via infected developer tool updates.
- **Privilege Escalation:** Not specified; likely standard credential theft from dev tools.
- **Defense Evasion:** Use of legitimate-looking supply chain updates.
- **Credential Access:** Self-propagating malware designed to steal credentials.
- **Discovery:** Reconnaissance of enterprise assets such as VM disks and databases.
- **Lateral Movement:** Chaining initial compromises into follow-on campaigns.
- **Collection:** Gathering data for extortion on BreachForums.
- **Exfiltration:** Transfer of data to Vect's leak site.
- **Impact:** **Data Wiping.** The encryption logic (libsodium-based) incorrectly discards three of four decryption nonces for files over 128KB, making decryption mathematically impossible.
## Impact Assessment
- **Financial:** Total loss of data assets; potential for wasted ransom payments if victims are unaware of the wiper flaw.
- **Data Breach:** Claimed leaks of hundreds of gigabytes per victim.
- **Operational:** Severe disruption; destruction of VM disks, databases, and backups makes restoration from local copies impossible.
- **Reputational:** High-profile organizations listed on public leak sites.
## Indicators of Compromise
- **Network:** hxxps[://]vect-leak-site[.]onion (Defanged)
- **File:** Vect 2.0 Ransomware (variants for Windows, Linux, ESXi)
- **Behavioral:** High-volume file modification targeting files > 128KB; presence of libsodium encryption artifacts; specific "four-chunk" encryption logic.
## Response Actions
- **Containment:** Isolate systems running Trivy or LiteLLM to check for malicious modifications.
- **Eradication:** Removal of Vect binary payloads.
- **Recovery:** Recovery is only possible via **off-site, offline backups** created prior to the infection. Traditional "decryption" is not an option.
## Lessons Learned
- **The "Ransomware" Fallacy:** Not all extortionists are capable of returning data; amateur "Ransomware-as-a-Service" (RaaS) can result in accidental wipers.
- **Supply Chain Vulnerability:** Essential developer tools (Trivy) represent a high-leverage point of failure for an entire organization's security posture.
- **Code Quality Matters:** The "amateur execution" of the Vect group turned a standard extortion attempt into a catastrophic data loss event.
## Recommendations
- **Do Not Pay:** Under no circumstances should a ransom be paid to Vect, as they cannot provide a working decryptor.
- **Hardened Backups:** Maintain immutable, air-gapped backups to recover from wiper attacks.
- **Software Integrity:** Implement strict version pinning and integrity checking (hashes/signatures) for all security and developer tools used in CI/CD pipelines.
- **Audit Tooling:** Review the security of internal instances of Trivy and LiteLLM for any unauthorized modifications.