Cyber-crime 1 Don't pay Vect a ransom - your data's likely already wiped out 1 'Full recovery is impossible for anyone, including the attacker' Jessica Lyons Tue 28 Apr 2026 // 18:36 UTC Organizations hit by the wave of Trivy and LiteLLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research. That's because the ransomware Vect uses isn't actually ransomware at all, but a wiper that destroys any file larger than 128KB. Vect's leak site lists 25 organizations since January, and four since March, which is when the extortions from the supply chain attacks began. It's unclear, however, how many - if any - of the listed orgs are tied to Trivy and LiteLLM-related compromises. "On April 15, the group claimed two larger victims, Guesty (700GB) and S&P Global (250GB), allegedly tied to earlier TeamPCP compromises," Eli Smadja, group manager at Check Point Research, told The Register . "However, these claims cannot be independently verified, and there is no confirmed visibility into how many of these cases resulted in successful ransom payments versus data being leaked without payment." Neither Guesty nor S&P Global responded to The Register 's inquiries. Vect is one of the crime crews partnering with TeamPCP to leak data and extort victims of the ongoing attacks that infected Trivy , LiteLLM , Checkmarx , and Telnyx . After initially compromising the security and developer tools, infecting them with self-propagating credential-stealing malware, TeamPCP and Vect announced their new partnership on BreachForums, bragging: "we will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns." Plus Vect announced a partnership with the data leak site itself, and said that every registered BreachForums user can use Vect's ransomware, negotiation platform, and website. So Check Point researchers opened a BreachForums account , got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code - "not technically sophisticated" and "amateur execution" are how Check Point's research team describes the crims - and they appear to have accidentally written a data wiper. Instead of encrypting large files, which is what ransomware is supposed to do, Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB). Ongoing supply-chain attack 'explicitly targeting' security, dev tools AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack 1K+ cloud environments infected following Trivy supply chain attack Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise "Full recovery is impossible for anyone, including the attacker," the security analysts wrote. "At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions." The ransomware, as advertised, includes Windows, Linux, and ESXi variants. All share the same encryption design built on libsodium, the same file-size thresholds, the same four-chunk logic, and the same flaw: The encryption implementation discards three of four decryption nonces for every file larger than 128 KB. In addition to the nonce-handling flaw, the malware analysts say they spotted "multiple" other bugs and design failures across all ransomware variants, suggesting that even criminals can't vibe code their way to a successful operation. As the researchers note: "The authors know what features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all." ® Share More about Check Point Cybercrime Ransomware More like these × More about Check Point Cybercrime Ransomware Security Supply Chain Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Supply Chain Security Week Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust More about Share 1 COMMENTS More about Check Point Cybercrime Ransomware More like these × More about Check Point Cybercrime Ransomware Security Supply Chain Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Supply Chain Security Week Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust TIP US OFF Send us news