VECT 2.0 ransomware bug shreds files over 128KB instead of encrypting them
Check Point researchers found a fatal flaw in VECT 2.0, a ransomware-as-a-service offering pushed on BreachForums and recently aligned with TeamPCP — the crew behind supply-chain attacks on Trivy, LiteLLM, Telnyx, and the European Commission. For files above 128KB, the encryptor splits data into chunks but reuses a single memory buffer for the nonce output across every chunk. Each new nonce overwrites the prior one, so only the final nonce ever reaches disk.
The practical result: only the last 25% of any large file remains decryptable. The earlier chunks are unrecoverable because the nonces are gone, and they aren’t transmitted to the operators either — meaning even paying the ransom cannot restore the data. The flaw is present across the Windows, Linux, and ESXi variants.
The 128KB threshold is low enough that nearly everything of value — VM disks, databases, backups, mailboxes, ordinary documents and spreadsheets — falls into the broken path. In effect VECT 2.0 functions as a wiper dressed up as ransomware, with no recovery option regardless of payment.
Read the full article
Continue reading at BleepingComputer →This is an AI-generated summary. Read the original for the full story.