10 Critical Flaws Behind VECT Ransomware's Accidental Wiper Behavior

<p>When VECT ransomware appeared on cybercrime forums in late 2025, it promised to be a powerful new Ransomware-as-a-Service (RaaS) operation. But Check Point Research (CPR) soon uncovered a shocking truth: a critical encryption flaw makes VECT permanently destroy large files instead of encrypting them—essentially turning it into a wiper by accident. Here are the 10 key findings every security professional needs to understand.</p> <h2 id="item1">1. VECT Ransomware: A New RaaS Player with Ambitions</h2> <p>VECT debuted in December 2025 on a Russian-language cybercrime forum as a RaaS program. It quickly claimed victims and grabbed attention by announcing a partnership with TeamPCP, the group behind supply-chain attacks that compromised popular tools like Trivy, KICS, LiteLLM, and Telnyx. VECT also teamed up with BreachForums, promising every registered forum user affiliate access. Despite this professional façade, a deep dive into VECT's code reveals amateur execution at its core—a pattern that repeats across all its versions.</p><figure style="margin:20px 0"><img src="https://research.checkpoint.com/wp-content/uploads/2026/04/Cover2-1024x576.png" alt="10 Critical Flaws Behind VECT Ransomware&#039;s Accidental Wiper Behavior" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: research.checkpoint.com</figcaption></figure> <h2 id="item2">2. The Fatal Nonce Implementation Flaw</h2> <p>CPR identified a critical bug in VECT's encryption routine: for files larger than 131,072 bytes (128 KB), the ransomware discards three out of four decryption nonces. A nonce is a unique number used once per encryption session; losing it means the encrypted data cannot be decrypted. This flaw is identical across the Windows, Linux, and ESXi variants, confirming a single flawed codebase. Without the correct nonces, even the attackers cannot recover the data. This isn't just an oversight—it's a design failure that makes VECT ineffective as ransomware and destructive as a wiper.</p> <h2 id="item3">3. Why Files Over 128 KB Are Permanently Lost</h2> <p>The 128 KB threshold is devastating: almost every meaningful file—VM disks, databases, documents, backups—exceeds this size. VECT splits each file into four chunks and generates a nonce for each, but a bug saves only the first nonce and overwrites the others. Once encrypted, only the first chunk can be decrypted; the remaining three chunks are irrecoverable. Full recovery is impossible for anyone, including the original operator. This effectively transforms VECT from ransomware into a wiper, destroying valuable enterprise assets beyond repair. For victims, paying the ransom is pointless—the data is already gone.</p> <h2 id="item4">4. Misidentified Encryption: ChaCha20 without Poly1305</h2> <p>Several threat intelligence reports and VECT's own advertisements claim it uses ChaCha20-Poly1305 AEAD (Authenticated Encryption with Associated Data). However, CPR confirms VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication. There is no Poly1305 MAC tag, meaning there's no integrity protection for the ciphertext. This misidentification matters because it affects forensic analysis and decryption attempts. Without the MAC, the attacker has no way to verify if decryption is correct, and the victim has no tamper-proof proof of encryption. This is yet another sign of amateur cryptographic design.</p> <h2 id="item5">5. Fake Speed Toggles: --fast, --medium, and --secure Ignored</h2> <p>VECT's Linux and ESXi variants include command-line flags --fast, --medium, and --secure, supposedly letting operators choose encryption speed versus security. But CPR discovered these flags are parsed and then silently ignored. Every execution uses identical hardcoded thresholds regardless of operator selection. This means the ransomware always runs with the same behavior, no matter what the attacker specifies. It's a classic example of vaporware features—options that exist in the interface but have no effect. This not only misleads affiliates but also shows a lack of quality control in development.</p> <h2 id="item6">6. One Flawed Engine Across Three Platforms</h2> <p>VECT targets Windows, Linux, and VMware ESXi, but all three variants share an identical encryption design built on libsodium. The same file-size thresholds (128 KB), the same four-chunk logic, and the same nonce-handling flaw appear in each platform's binary. This confirms that VECT was developed from a single codebase, likely cross-compiled with minimal adaptations. While multi-platform support sounds sophisticated, the shared flaw amplifies its impact: any environment running any variant suffers the same data destruction. The engine is consistent—but consistently broken.</p><figure style="margin:20px 0"><img src="https://research.checkpoint.com/wp-content/uploads/2026/04/Cover2.png" alt="10 Critical Flaws Behind VECT Ransomware&#039;s Accidental Wiper Behavior" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: research.checkpoint.com</figcaption></figure> <h2 id="item7">7. Amateur Code: Self-Cancelling Obfuscation and Dead Code</h2> <p>Beyond the nonce bug, CPR found numerous other programming mistakes. VECT's string obfuscation routine cancels itself out—the code obfuscates and then deobfuscates strings in memory, wasting CPU cycles without adding real protection. There are permanently unreachable anti-analysis code blocks, indicating leftover debugging stubs that were never removed. A thread scheduler intended to improve encryption performance actually degrades it due to poor logic. These amateur errors reveal a developer who may be capable of basic coding but lacks the rigor needed for reliable malware—let alone ransomware that must decrypt data.</p> <h2 id="item8">8. The TeamPCP Supply-Chain Attack Partnership</h2> <p>In March 2026, VECT announced a partnership with TeamPCP, the actor behind several high-profile supply-chain attacks. These attacks injected malware into widely used open-source tools like Trivy, Checkmarx KICS, LiteLLM, and Telnyx, affecting thousands of downstream consumers. VECT's goal was to exploit companies compromised by those attacks, using VECT ransomware to encrypt their systems. This partnership gave VECT immediate access to a pre-compromised victim base. However, the accidental wiper behavior means those victims would lose data permanently, potentially exposing both groups to legal and reputational blowback.</p> <h2 id="item9">9. BreachForums: An Open Affiliate Network</h2> <p>VECT also partnered with BreachForums, promising that every registered user would become an affiliate with access to the ransomware build, negotiation platform, and leak site. This unprecedented move lowers the barrier to entry for cybercriminals, turning a forum into an instant affiliate program. However, the flawed encryption means affiliates will deliver wiper functionality to their victims, undermining their own extortion efforts. Victims who pay will still lose data, damaging affiliates' credibility. This open model, combined with the technical flaws, suggests VECT's operators prioritized reach over reliability.</p> <h2 id="item10">10. Conclusion: A Ransomware That Wipes Without Intent</h2> <p>VECT presents a professional front with RaaS partnerships and polished advertisements, but behind the scenes it's an amateur project with catastrophic flaws. The nonce bug, misidentified cipher, fake features, and buggy code make VECT effectively a wiper for any file over 128 KB. For defenders, this means VECT attacks should be treated as destructive data-loss events, not ransomware incidents. Backup and recovery plans must assume full restoration is impossible. For the cybercriminal ecosystem, VECT is a cautionary tale: building a reliable ransomware is harder than it looks, and everyone—including attackers—pays for incompetence.</p>