VECT 2.0 Corrupts Files Over 131KB on Windows, Linux, ESXi

Security researchers report that the ransomware family VECT 2.0 irreversibly destroys files larger than 131,072 bytes on Windows, Linux and ESXi systems. The defect prevents reconstruction of most enterprise files even if victims pay a ransom.

Technical analysis shows the malware splits large files into four equal chunks and encrypts each chunk with a newly generated 12-byte nonce. Only the final nonce is written to disk; the first three nonces are generated, used and discarded. Because the ChaCha20-IETF cipher requires the exact 12-byte nonce and the 32-byte key to decrypt each chunk, the three missing nonces make those portions of the files unrecoverable.

Eli Smadja, group manager at Check Point Research, warned that VECT “is being marketed as ransomware, but for any file over 131KB … it functions as a data destruction tool.” He added that paying will not restore data because the information needed to build a decrypter is erased when the malware runs.

VECT 2.0 operates as a ransomware-as-a-service program. The affiliate program launched in December 2025 and the group’s portal promotes “Exfiltration / Encryption / Extortion.” New affiliates reportedly pay a $250 entry fee in Monero, with the fee waived for applicants from Commonwealth of Independent States countries. Recent activity shows formal links with a cybercrime marketplace and the TeamPCP hacking group; the VECT leak site currently lists two victims said to have been compromised via TeamPCP supply-chain attacks.

The Windows build contains anti-analysis routines that target 44 security and debugging tools, a safe-mode persistence option that schedules execution on the next Safe Mode boot, and remote-execution templates to support lateral movement. Check Point noted that environment-detection code is present in the Windows samples they examined but was not executed.

The ESXi and Linux variants share a common codebase. The ESXi version performs geofencing and anti-debugging checks before acting and attempts lateral spread via SSH. The Linux variant implements a subset of ESXi functionality. Both builds include a check that exits if the malware detects it is running in a CIS country; the list of excluded countries includes Ukraine. Researchers suggested the geofencing code may come from an older project or could have been generated with AI assistance.

Check Point assessed the operators are likely inexperienced and that parts of the code may have been reused or automatically generated. The researchers recommended organizations treat a VECT incident as a data-loss event and prioritize offline backups, tested recovery procedures and rapid containment rather than ransom negotiation.