Ransomware , Threat Intelligence , Data Security TeamPCP-linked VECT 2.0 ransomware unintentionally destroys files larger than 128 KB April 29, 2026 Share By Laura French VECT 2.0 ransomware inadvertently destroys files larger than 128 KB during encryption, making them unrecoverable by anyone, including the threat actors themselves, Check Point Research reported Tuesday . The VECT ransomware-as-a-service (RaaS) group first appeared in December 2025 and reportedly partnered with the threat actor TeamPCP in March 2026. The RaaS currently lists two victims on its dedicated leak site, both claimed to be tied to TeamPCP’s supply chain attacks on Trivy and LiteLLM in March. At the same time it announced its TeamPCP partnership, VECT announced a partnership with BreachForums, saying all BreachForums members would be given affiliate access to the ransomware. Leveraging this open availability, Check Point researchers gained access to the VECT 2.0 panel and ransomware builder, and conducted an analysis of the ransomware’s Windows, Linux and ESXi versions. The researchers found an error in the ransomware’s encryption implementation across all three versions that caused files larger than 128 KB to be effectively destroyed rather than reversibly encrypted. The error arose because the ransomware encrypts these “large” files in four chunks, but the decryption nonces generated for each chunk are all written to the same location, overwriting one another. Ultimately, only the nonce for the final chunk remains, leaving the rest of the file unrecoverable. Check Point also noted that the encryption algorithm used by VECT is ChaCha20-IETF with no authentication, not ChaCha20-Poly1305 AEAD as VECT had previously advertised, and which had been widely reported as a result. Other ‘amateur’ mistakes found in VECT 2.0 ransomware Check Point provided additional details about the three VECT 2.0 variants, revealing an “amateur execution” despite the group’s “professional façade,” the researchers wrote. The ransomware’s encryption engine was noted to use an excessive number of encryptor threats per CPU, which, rather than speeding up encryption, causes the system to spend unnecessary time switching between threads, the researchers said. “On a typical 8-CPU target, this produces 6 scanner and 42 encryptor threats simultaneously competing for the same disk I/O channels — overkill by any measure, and a thread count that would make any seasoned ransomware developer laugh,” the Check Point team wrote. Additionally, the Windows version includes three anti-analysis mechanisms — a scan of running processes, a parent process check and a kernel debug-object query — but these mechanisms are never actually invoked during execution. In the Linux version, the malware attempts to encrypt command line flags but accidentally uses a double XOR encryption scheme that “cancels out” the encryption, leaving the plain text strings fully visible, Check Point said. Even the ASCII art used in VECT’s branding is broken, as the developers failed to escape backslash characters, the researchers added. “VECT 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel. In practice, the technical implementation falls significantly short of its presentation,” the Check Point Research team concluded. Due to the encryption error, Check Point emphasizes that companies that pay a ransom will not be able to recover most important files, “not because the operator is uncooperative, but because the nonces required for decryption no longer exist.” Earlier this year, researchers at Coveware discovered a similar error in the Nitrogen ransomware affecting ESXi systems. The ransomware was found to inadvertently overwrite part of the public key derived from the private key used for encryption, making it impossible for anyone, including Nitrogen, to decrypt the files. An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More Laura French Related Phishing Canadian authorities arrest 3 in SMS blaster phishing scheme SC Staff April 28, 2026 The SMS blaster operates by emitting signals that trick mobile devices into connecting to it, appearing as a stronger, legitimate cell tower. Malware Vidar infostealer evolves, uses image files for stealthy attacks SC Staff April 28, 2026 The latest Vidar campaign leverages social engineering, exploiting a recent Claude Code leak by setting up fake GitHub repositories. Phishing Robinhood account creation flaw exploited for phishing emails SC Staff April 28, 2026 Attackers abused a flaw in Robinhood's onboarding process, allowing them to inject HTML into account confirmation emails. Related Events Cybercast Ransomware reloaded: Finding resilience when attackers wield AI Wed May 13 Virtual Conference Ransomware Resilience: Strategies to Defend, Mitigate, and Recover On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Backdoor Bit Brute Force Cipher Ciphertext Corruption Cryptanalysis Darknet Information Warfare Reconnaissance You can skip this ad in 5 seconds