EXECUTIVE SUMMARY:
VECT ransomware is a Ransomware-as-a-Service program that permanently destroys large files rather than encrypting them. A critical flaw in the encryption implementation discards three of four decryption nonces for every file above 128 KB, making full recovery impossible for anyone, including the attacker. This effectively makes VECT a wiper for virtually any file containing meaningful data, including enterprise assets such as VM disks, databases, documents, and backups.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
VECT ransomware is a Ransomware-as-a-Service program that permanently destroys large files rather than encrypting them. A critical flaw in the encryption implementation discards three of four decryption nonces for every file above 128 KB, making full recovery impossible for anyone, including the attacker. This effectively makes VECT a wiper for virtually any file containing meaningful data, including enterprise assets such as VM disks, databases, documents, and backups.[emaillocker id="1283"]
The encryption mechanism is built on libsodium and shares the same file-size thresholds, four-chunk logic, and nonce-handling flaw across all variants. The cipher is misidentified as ChaCha20-Poly1305 AEAD, but it actually uses raw ChaCha20-IETF with no authentication. Additionally, the advertised encryption speed modes are not implemented, and the --fast, --medium, and --secure flags are parsed but ignored. The encryption performance is degraded by a thread scheduler, and multiple bugs and design failures have been identified, including self-cancelling string obfuscation and unreachable anti-analysis code.
The presence of a single codebase ported across platforms confirms that VECT is a unified threat, and its professional facade hides amateur execution. The flaws in the encryption mechanism and additional bugs make VECT a significant threat to enterprise assets, and its wiper capabilities make it a potential disaster for any organization relying on data integrity. The impact of VECT's flaws is far-reaching, and its consequences can be devastating for any organization that falls victim to this ransomware.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059 | Command and Scripting Interpreter | - |
| T1204.002 | User Execution | Malicious File | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Credential Access | T1003 | OS Credential Dumping | - |
| Discovery | T1082 | System Information Discovery | - |
| T1018 | Remote System Discovery | - | |
| Lateral Movement | T1021 | Remote Services | - |
| Command and Control | T1071 | Application Layer Protocol | - |
| Impact | T1486 | Data Encrypted for Impact | - |
| T1485 | Data Destruction | - |
REFERENCES:
The following reports contain further technical details:
https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
[/emaillocker]