If the newbie to the ransomware scene, VECT, comes knocking at your organisation’s door, do not pay the ransom! That is the call from researchers at leading global cybersecurity firm Check Point, which has been monitoring the emerging ransomware-as-a-service group. Together with partners BreachForums and TeamPCP (the supply chain actor behind attacks on Trivy, LiteLLM, and other widely used developer tools), VECT has built one of the largest ransomware affiliate networks to date.
“VECT’s lockers permanently destroy large files rather than encrypting them,” says Eli Smadja, group manager at Check Point Research. “That means even victims who pay the ransom cannot get their data back. The decryption keys simply do not exist. They were discarded at the moment of encryption by the malware itself.”
“This impacts the files that matter most in an enterprise attack: VM disk images, databases, backups, and archives. For these file types, VECT is not ransomware. It is a data wiper with a ransom note attached.”
VECT is being marketed as ransomware, but for any file larger than 131 KB – which is most of what enterprises actually care about – it functions as a data-destruction tool.
“What CISOs need to understand is that in a VECT incident, paying is not a recovery strategy,” Smadja says. “There is no decrypter that can be handed over, not because the attackers are unwilling, but because the information required to build one was destroyed the moment their software ran.”
In the event of a VECT attack, Smadja advises that the organisation’s focus has to be on resilience: offline backups, tested recovery procedures, and rapid containment – not negotiation.
Other findings from the Check Point research team:
• Prior industry reporting, including the group’s own advertising, described VECT as using ChaCha20-Poly1305 AEAD encryption. CPR’s analysis found this is incorrect. It uses a weaker, unauthenticated cipher with no integrity protection
• CPR believes VECT is more likely the work of newcomers than experienced operators, and cannot rule out that parts of the codebase are AI-generated. An unusual geofencing detail suggests the code may be based on a leaked pre-2022 ransomware build rather than written from scratch as claimed.
• The encryption flaw exists across all versions. Windows, Linux, and ESXi variants are all affected. The bug has been present since before the public 2.0 release and has never been fixed.
A new threat with an ambitious playbook
VECT emerged in late 2025 with an unusual ambition; rather than recruiting a small, vetted group of criminal partners in the traditional ransomware model, they opened their doors to everyone. Through a formal partnership with BreachForums, a major cybercrime marketplace, VECT automatically granted every registered forum member access to its ransomware platform. Thousands of potential operators, almost overnight.
At the same time, VECT announced a partnership with TeamPCP, the group responsible for a series of supply-chain attacks earlier this year that compromised popular software tools used by businesses worldwide. The stated goal, openly announced on BreachForums, was to use that existing access as a launchpad for ransomware attacks against companies already targeted by ransomware.
On paper, this looked like a serious and scalable threat. In practice, Check Point Research gained access to the affiliate panel and builder, analysed all three payloads, and found something the group’s own operators may not know: their software is broken in a way that makes it far more destructive, and far less profitable, than intended.
Professional appearance, serious gaps
VECT has invested heavily in looking legitimate. The affiliate panel is well-designed. The partnerships are real. The marketing is polished, but analysis of the actual code tells a different story.
Several features the group advertises to operators simply do not work. Encryption speed settings, offered as a way to balance speed and thoroughness, are accepted by the software and then silently ignored. Every attack runs identically regardless of what settings the operator chooses.
Security evasion tools designed to help VECT avoid detection were built and compiled into the software, but are never actually activated. Any security researcher can run VECT today with no evasive response from the malware itself.
These are not minor oversights. They are the kinds of errors that basic testing would catch, and they suggest a group that has prioritised the appearance of a professional operation over building one.
What this means for your organisation
If you have been hit: Do not pay. For large files, which include the vast majority of business-critical data, there is no functional decryptor, and there never will be. Paying transfers money to criminals and returns nothing. Focus on recovery from clean backups and engage your incident response team immediately.
If you have not been hit: VECT’s current limitations do not make it harmless. Data can still be exfiltrated before encryption runs. Systems still go down. The flaws identified are correctable; a future version that fixes them, distributed through the same network that already has thousands of affiliates, would be significantly more dangerous. This group is worth watching.
Find out more at https://tinyurl.com/mr2a4tra
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version