Full Report
Key Takeaways Background VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. After claiming their first two victims in January 2026, the group got back into the public eye due to an announcement of a partnership with TeamPCP, the actor behind several supply-chain attacks […] The post VECT: Ransomware by design, Wiper by accident appeared first on Check Point Research.
Analysis Summary
# Tool/Technique: VECT Ransomware
## Overview
VECT is a Ransomware-as-a-Service (RaaS) operation that emerged in late 2025. While marketed as a sophisticated encryption tool for extortion, a critical architectural flaw in its encryption engine causes it to function as a permanent **wiper** for files exceeding 128 KB. The group is notable for its aggressive partnership model, providing access keys to all registered users of BreachForums and collaborating with threat actor TeamPCP.
## Technical Details
- **Type:** Ransomware-as-a-Service (RaaS) / Wiper (accidental)
- **Platform:** Windows, Linux, and VMware ESXi
- **Capabilities:** Multi-platform encryption, automated discovery, "broken" Chacha20 implementation, data exfiltration.
- **First Seen:** December 2025 (Russian-language cybercrime forums)
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery
- T1135 - Network Share Discovery
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
- T1485 - Data Destruction (Due to nonce-handling flaw)
- T1489 - Service Stop (Targeting ESXi VMs and databases)
## Functionality
### Core Capabilities
- **Multi-Platform Consistency:** Uses a single C++ codebase ported to Windows, Linux, and ESXi utilizing `libsodium`.
- **Encryption Algorithm:** Uses raw **ChaCha20-IETF** (RFC 8439). Note: Public marketing claims the use of ChaCha20-Poly1305, but the implementation lacks the Poly1305 MAC, providing no integrity protection.
- **Ransomware-as-a-Service:** Distributed via BreachForums with unique affiliate IDs and access keys.
### Advanced Features (and Failures)
- **Accidental Wiper Mechanism:** For files >128 KB, the engine generates four nonces but discards three of them. This makes 75% of the file data impossible to decrypt, even by the attackers.
- **Thread Scheduler:** Includes a multi-threading engine meant to increase speed, though research indicates it is poorly optimized and may degrade performance.
- **Dormant Code:** Contains "zombie" features such as `--fast`, `--medium`, and `--secure` flags that are parsed but ignored, and anti-analysis code that is permanently unreachable due to logic errors.
## Indicators of Compromise
- **File Names:** `RECOVER_VECT_FILES.txt` (Ransom note)
- **Network Indicators:**
- Telegram/Qtox IDs for contact (e.g., `1A51DCBB33FBF603B385D223F599C6D64545E631F7C870FFEA320D84CE5DAF076C1F94100B5B`)
- Onion leak site: `[REDACTED].onion` (defanged)
- **Behavioral Indicators:**
- Massive file I/O operations targeting 128 KB chunks.
- Termination of virtual machine processes (`vmx`) on ESXi hosts.
- Usage of `libsodium` exports in unusual binary contexts.
## Associated Threat Actors
- **TeamPCP:** Known for supply-chain attacks (Trivy, KICS, LiteLLM) and a primary partner of VECT.
- **BreachForums Affiliates:** General forum users who have been granted access keys to the RaaS platform.
## Detection Methods
- **Signature-based:** Detect the specific implementation of `libsodium` paired with the VECT-specific ransom note string.
- **Behavioral:** Monitor for high-frequency file modification of enterprise assets (databases, VMDKs) followed by the deletion of volume shadow copies.
- **Vulnerability Check:** Detection scripts can identify VECT variants by looking for the broken Chacha20 nonce-handling logic (failing to store nonces for chunks 2, 3, and 4).
## Mitigation Strategies
- **Prevention:** Block initial access vectors favored by TeamPCP, specifically supply-chain vulnerabilities in DevOps tools and software packages.
- **Hardening:** Implement immutable backups. Because VECT is functionally a wiper, standard decryption-based recovery is impossible.
- **Network Security:** Restrict outbound TOR traffic to prevent affiliates from reaching the negotiation and leak sites.
## Related Tools/Techniques
- **ChaCha20-IETF:** The base cipher used (and misused) by the malware.
- **Supply-Chain Compromise:** The primary delivery method utilized by partner group TeamPCP to deploy VECT.