Researchers say VECT 2.0 has a nonce-handling flaw that makes only the last portion of large files recoverable, effectively turning attacks into data-wiping.
Ransomware usually promises a grim bargain: lock your data, then sell you access back. But with VECT 2.0, the pitch may not even work the way operators expect—because the malware appears to “break” its own encryption for larger files.
Misryoum has learned that researchers are warning about a flaw in how VECT 2.0 handles encryption nonces.. Instead of reliably encrypting every chunk of a file. the program’s nonce logic can overwrite earlier values during chunked processing.. The practical outcome is unsettling: larger files may be partially scrambled in a way that leaves most of the original content unrecoverable—even if victims try to pay.
The issue sits inside the ransomware’s attempt to speed up encryption for big data.. VECT’s approach splits files into chunks and encrypts them sequentially.. But each chunk’s encryption relies on a nonce output buffer, and the same memory buffer is reused across iterations.. As each new chunk is processed, the nonce value from the previous chunk gets overwritten.. By the time the file finishes processing. only the last nonce generated remains available. and only that final nonce is written out for decryption.
That design turns the ransomware into something closer to a data wiper for many real-world workloads.. If only the last portion of the file can be decrypted, then the earlier parts are effectively lost.. Researchers report that. because of the chunking behavior. roughly the last 25% of a file may remain recoverable while the preceding three quarters become impossible to decrypt.. Even if VECT operators intended to restore data after payment. the missing nonce values aren’t transmitted to attackers either—so the “keys to recovery” never actually exist for those earlier chunks.
VECT has also been described as a ransomware marketed for affiliate activity. including access mechanisms and a recruitment model that invites outside participants to carry out attacks.. In one recent thread. the operators framed their operation around exploiting environments impacted by earlier incidents. positioning it as a way to move faster into high-value systems after supply-chain compromises.. Misryoum notes that this kind of affiliate-and-partnership ecosystem is a recurring pattern in modern ransomware. where the business model depends on scalability as much as technical capability.
The broader strategic context matters here.. VECT operators reportedly referenced collaboration with TeamPCP. a threat actor associated with supply-chain attacks impacting products used in development and communications workflows.. Those incidents included compromises affecting Trivy, LiteLLM, and Telnyx, along with an attack against the European Commission.. The VECT operators’ stated aim was to exploit victims of those compromises by deploying ransomware payloads in affected environments—and to pursue further supply-chain targeting.
But the technical twist changes the risk profile for victims.. Check Point’s analysis points out that VECT’s behavior is closely tied to a threshold around 128 KB.. Misryoum interprets that boundary as the real reason this issue is likely to feel catastrophic inside enterprises.. Many of the files organizations care about most—virtual machine disks, database files, and backups—often exceed that limit.. The same analysis suggests that once files cross the “large file” classification. the ransomware’s chunked encryption flaw can wipe away nearly all meaningful recoverability.
In other words. even without a perfectly clean “encryption failure” story. the outcome can be worse than typical ransomware for operations that rely on restore-from-backup or partial recovery.. Recoverability isn’t just about whether a decryptor exists; it’s about whether the ciphertext is shaped in a way the decryptor can reverse.. With the earlier nonces overwritten and not available for decryption, the usual ransom calculus becomes shaky.. It’s also a reminder that ransomware quality—how consistently it performs cryptography correctly—varies widely. and some “versions” may carry accidental constraints that defenders can use to sharpen detection and response priorities.
The flaw appears across variants of VECT 2.0, including Windows, Linux, and ESXi.. That cross-platform presence increases the chance that the same data-wiping pattern could show up regardless of where the malware lands—whether that’s endpoint storage. servers. or virtualized infrastructure.. For defenders. the immediate implication is clear: incident response teams should treat “encryption” incidents involving VECT 2.0 as potentially destructive to backups and VM assets. not as a reversible lock-and-release scenario.
From an operational standpoint. this also adds fuel to the uncomfortable reality many organizations face: even if attackers are driven by profit. their tooling can still inflict irreversible damage.. Misryoum expects the bigger takeaway to be less about whether victims can pay for recovery. and more about building resilience that assumes partial or complete data loss.. The cleanest path is tight backup hygiene. rapid containment. and validation of restoration processes—before the next ransomware “version” decides to fail in the worst possible way.