Full Report
Threat hunters are warning that the cybercriminal operation known as VECT 2.0 acts more like a wiper than a ransomware due to a critical flaw in its encryption implementation across Windows, Linux, and ESXi variants that renders recovery impossible even for the threat actors. The fact that VECT's locker permanently destroys large files rather than encrypting them means even victims who opt to
Analysis Summary
# Tool/Technique: VECT 2.0 (Ransomware/Wiper)
## Overview
VECT 2.0 is a Ransomware-as-a-Service (RaaS) operation that functions effectively as a data wiper due to a critical cryptographic flaw. While marketed as ransomware with a triple-threat model (Exfiltration, Encryption, Extortion), a defect in its encryption logic permanently destroys any file larger than 131KB. This renders data recovery impossible, even if the victim pays the ransom and receives the threat actor's decryption tools.
## Technical Details
- **Type:** Malware family (Ransomware/Wiper)
- **Platform:** Windows, Linux, and ESXi
- **Capabilities:** File encryption (defective), data exfiltration, cross-platform compatibility, network share traversal, and credential theft via supply chain attacks.
- **First Seen:** Initial affiliate program launched December 2025; VECT 2.0 observed April 2026.
## MITRE ATT&CK Mapping
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
- T1561.002 - Disk Structure Wipe (Functional behavior)
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise (via TeamPCP)
- **TA0010 - Exfiltration**
- T1020 - Automated Exfiltration
## Functionality
### Core Capabilities
- **Cross-Platform Target:** C++-based lockers designed for Windows, Linux, and ESXi environments.
- **Flawed Encryption:** Uses a version of ChaCha20-IETF. For files under 131KB, it functions as intended. For "large files" (>131KB), it encrypts four independent chunks using four different 12-byte nonces but only saves the last nonce.
- **Irreversible Destruction:** Because the first three nonces used for large files are discarded and never stored or transmitted, the first 75% of those files are permanently unrecoverable.
- **Affiliate Model:** Operates as a RaaS with a $250 Monero (XMR) entry fee, notably waived for CIS-based affiliates.
### Advanced Features
- **Supply Chain Integration:** Leverages partnerships with threat groups like TeamPCP to weaponize stolen credentials and existing breaches.
- **Triple Extortion:** Combines disk encryption with data exfiltration and the threat of public disclosure via a dedicated leak site.
- **Network Propagation:** The Windows variant is capable of identifying and encrypting local, removable, and network-accessible storage.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific MD5/SHA256 hashes were not provided in the article text; hunters should look for C++-based binaries targeting the platforms above).*
- **File Names:** Typically uses a unique extension post-encryption (though not specified in the text).
- **Network Indicators:**
- Dark web leak site (VECT leak portal)
- Monero (XMR) payment addresses
- Partnership infrastructure via TeamPCP and BreachForums.
- **Behavioral Indicators:**
- Mass file modification across local and network drives.
- Process execution on ESXi hosts targeting virtual disk files (.vmdk).
## Associated Threat Actors
- **VECT Group:** The primary RaaS operators.
- **TeamPCP:** Partner group providing initial access via supply chain attacks.
- **BreachForums Affiliates:** Cybercriminals recruited to deploy the locker.
## Detection Methods
- **Behavioral detection:** Monitor for high-volume file rename/write operations and the generation of high-entropy files (indicators of encryption).
- **ESXi Auditing:** Monitor for unauthorized SSH access to ESXi hosts and execution of unrecognized C++ binaries.
- **Network Monitoring:** Look for large-scale data transfers to unknown external IPs (Exfiltration).
## Mitigation Strategies
- **Offline Backups:** Maintain gold-standard, air-gapped backups. Since VECT is a functional wiper, restoration from backup is the *only* recovery path.
- **Immutable Storage:** Utilize WORM (Write Once Read Many) storage for critical enterprise data.
- **Credential Hygiene:** Implement MFA and rotate credentials, especially given VECT's reliance on supply chain credential theft.
- **Rapid Containment:** Implement automated response to disconnect affected hosts from the network once mass file modification is detected.
## Related Tools/Techniques
- **ChaCha20-IETF:** The intended encryption algorithm.
- **Data Wipers:** Tools like Shamoon or StoneDrill (functionally similar due to VECT's flaws).
- **Supply Chain Attacks:** Methodologies used by TeamPCP to facilitate initial access.