VECT 2.0 Ransomware: The Fatal Bug Destroying Files Forever

On April 28, 2026, Check Point Research revealed a critical flaw in VECT 2.0 ransomware: a design error in the encryption algorithm irreversibly destroys all files larger than 131,072 bytes. The discovery radically changes the nature of the threat: what is marketed as ransomware-as-a-service effectively functions as a wiper for most sensitive corporate data.

The technical flaw: three nonces lost forever

Check Point Research's technical analysis highlighted an issue in the implementation of ChaCha20-IETF encryption. The malware divides files larger than 131,072 bytes into four independent chunks, each encrypted with a unique nonce. However, the code generates and uses the first three nonces to encrypt their respective blocks, but silently discards them without recording them.

"The first three nonces, each required to decrypt its respective chunk, are generated, used, and silently discarded." — Check Point Research analysis

The result is that even the attackers do not possess the keys necessary to decrypt the affected files. Without those three nonces, the fourth block is the only one theoretically recoverable, but it represents only a fraction of the original file.

A business model undermined at its foundation

VECT launched its RaaS affiliate program in December 2025, charging a $250 entry fee for new affiliates outside the CIS. In January 2026, the group began active targeting, claiming victims in South Africa and Brazil. According to Ransomware.live, the group currently boasts 25 known victims.

However, the discovery of the fatal bug invalidates the service's entire value proposition. "VECT is being marketed as ransomware, but for any file over 131KB – which is most of what enterprises actually care about – it functions as a data destruction tool" — explained Eli Smadja of Check Point Research.

The contradiction with previous analyses

Until March 27, 2026, available technical analyses described VECT as a conventional ransomware. Sources at the time reported the use of ChaCha20-Poly1305 AEAD, an authenticated algorithm that would have allowed for data recovery. The ransom note '!!!_READ_ME_!!!.txt' promised a working decryptor after payment.

The April 28, 2026, analysis radically corrects this view: the malware actually uses unauthenticated ChaCha20-IETF, and the implementation flaw makes it technically impossible to keep the promise for any file exceeding the 131,072-byte threshold.

Implications for incident response

For CISOs and security teams, the discovery mandates a complete re-evaluation of negotiation strategies. Traditional guidelines sometimes include evaluating payment as an extreme recovery option when backups are unavailable.

In a VECT incident, this option is nonexistent. "CISOs need to understand that in a VECT incident, paying is not a recovery strategy." — emphasized Eli Smadja of Check Point Research.

Protection comes down to the fundamentals: verified offline backups, network segmentation, and proactive monitoring of Windows, Linux, and ESXi infrastructures—all platforms targeted by the malware according to analyses.

Frequently Asked Questions

What distinguishes VECT 2.0 from other ransomware?

VECT 2.0 contains a programming flaw that turns it into a wiper: files larger than 131,072 bytes are irreversibly destroyed, making recovery impossible even if the ransom is paid.

Is it possible to recover files encrypted by VECT 2.0?

No, for files over 131KB, recovery is technically impossible because the nonces required for decryption are discarded by the malware itself.

Which operating systems are affected by VECT 2.0?

According to the analyses, VECT 2.0 affects Windows, Linux, and ESXi systems.

This article is a summary based exclusively on the listed sources.

Sources

• https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/vect-20
• https://thehackernews.com/2026/04/vect-20-ransomware-irreversibly.html
• https://www.ransomware.live/group/vect
• https://www.halcyon.ai/ransomware-alerts/emerging-ransomware-group-vect
• https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/vect