CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

VECT 2.0 Ransomware Operation Degrades to Irreversible Data Destruction Due to Critical Encryption Flaw

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

VECT 2.0 ransomware has been confirmed as an irreversible data wiper due to a critical nonce-handling flaw that discards decryption metadata for 75% of affected files, ensuring recovery is impossible regardless of ransom payment. This flaw, inherent to the ChaCha20-IETF encryption scheme, encrypts four independent chunks per large file but only stores the final 12-byte nonce on disk, discarding the first three nonces required for decryption. The operation, structured as a ransomware-as-a-service scheme with a $250 Monero affiliate fee (waived for Commonwealth of Independent States actors), originated on a Russian-language cybercrime forum in December 2025 before being detected by security researchers in early January 2026. VECT 2.0 rapidly expanded through partnerships with BreachForums and TeamPCP, the latter of which provides access to victims compromised in recent supply-chain attacks. Analysts emphasize that negotiating with actors offers no path to file recovery and that the malware's threshold of 128KB ensures nearly all enterprise and user files are targeted. Additional analysis revealed multiple implementation flaws beyond the encryption flaw, including faulty obfuscation, unreachable anti-analysis code, and performance-degrading scheduler bugs. Organizations are advised to prioritize prevention through employee training, EDR monitoring, offline immutable backups, and strict access controls, particularly for ESXi environments.

Timeline

  1. 28.04.2026 17:01 4 articles · 2d ago

    VECT 2.0 Ransomware Variant Fails as Encryption Tool, Acts as Irreversible Data Wiper

    Check Point’s latest analysis confirms the nonce-handling flaw in VECT 2.0’s ChaCha20-IETF encryption scheme: four independent chunks per large file are encrypted using four 12-byte nonces, but only the final nonce is stored on disk while the first three nonces required for decryption are discarded. This flaw, identical across Windows, Linux, and ESXi variants, ensures files larger than 128KB are irretrievably destroyed regardless of ransom payment. Additional implementation flaws are reiterated, including encryption modes parsed but never applied, self-cancelling string obfuscation routines, and an incorrectly described cipher in public reporting. The flaw was unintended by the operators, as its discovery reduces victim willingness to pay ransom and complicates monetization. Security guidance stresses prevention through employee training, EDR monitoring, offline immutable backups, and strict access controls for ESXi environments, with particular emphasis on validating third-party software integrity due to the confirmed TeamPCP partnership.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Reynolds Ransomware Integrates BYOVD Driver for EDR Evasion

A new ransomware family, Reynolds, has been discovered with a built-in Bring Your Own Vulnerable Driver (BYOVD) component designed to disable Endpoint Detection and Response (EDR) security tools. The ransomware embeds the NsecSoft NSecKrnl driver, which is vulnerable to a known flaw (CVE-2025-68947), to terminate processes associated with various security programs. This integration allows the ransomware to evade detection and maintain persistence on compromised systems. The Reynolds ransomware campaign also involved the deployment of a suspicious side-loaded loader and the GotoHTTP remote access program, indicating a sophisticated attack strategy.

Open in new tab

VMware ESXi Sandbox Escape Flaw Exploited in Ransomware Attacks

CISA has confirmed that ransomware gangs are now exploiting a high-severity VMware ESXi sandbox escape vulnerability (CVE-2025-22225), which was previously used in zero-day attacks. The flaw allows privileged attackers within the VMX process to perform arbitrary kernel writes, leading to a sandbox escape. Broadcom patched this vulnerability in March 2025, but it has since been leveraged in ransomware campaigns. The vulnerability affects multiple VMware products, including ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform.

Open in new tab

New Vect RaaS Group Targets Organizations in Brazil and South Africa

A new ransomware-as-a-service (RaaS) group named Vect has emerged, targeting organizations in Brazil and South Africa. The group, which began recruiting affiliates in December 2025, uses custom-built C++ malware with ChaCha20-Poly1305 AEAD encryption and intermittent encryption techniques. Vect operates with a high level of maturity, offering cross-platform ransomware targeting Windows, Linux, and VMware ESXi, and employs strong operational security measures. The group has already claimed two victims and operates a double extortion model. Vect's malware is notable for its speed and disruption capabilities, and the group's infrastructure is exclusively hosted on TOR hidden services. Initial access is likely achieved through exposed RDP/VPN, stolen credentials, phishing, or vulnerability exploitation.

Open in new tab

Sicarii Ransomware Decryption Fails Due to Key Generation Flaw

The Sicarii ransomware, a new ransomware-as-a-service (RaaS) offering, has a critical flaw in its decryption process. The malware regenerates a new RSA key pair during execution, discards the private key, and leaves victims without a viable decryption path. This means that even if victims pay the ransom, their data remains encrypted. Researchers suggest that the flaw may be due to the use of AI-assisted tooling by inexperienced developers. The ransomware also exhibits unusual behavior, including the use of Hebrew language and symbols that appear to be machine-translated, raising questions about the authenticity of the group's claimed identity.

Open in new tab

Veeam Patches Multiple Critical RCE Vulnerabilities in Backup & Replication

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software, including seven new RCE flaws. The latest updates patch vulnerabilities (CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708) that allow low-privileged domain users and Backup Viewers to execute remote code on vulnerable backup servers. Additionally, several high-severity bugs were addressed, which could be exploited to escalate privileges, extract SSH credentials, and manipulate files on Backup Repositories. All vulnerabilities affect earlier versions and have been fixed in versions 12.3.2.4465 and 13.0.1.2067. Veeam has warned admins to upgrade to the latest release promptly, as threat actors often develop exploits post-patch release. Ransomware gangs, including FIN7 and the Cuba ransomware gang, have targeted VBR servers to simplify data theft and block restoration efforts.

Open in new tab