top of page
perceptive_background_267k.jpg

VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi

Published:

28 April 2026 at 14:01:00

Alert date:

28 April 2026 at 15:01:28

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Operating Systems, Cloud & Virtualization

VECT 2.0 ransomware contains a critical flaw in its encryption implementation that causes it to act more like a wiper than ransomware. The malware permanently destroys files larger than 131KB rather than encrypting them, making recovery impossible even for the threat actors themselves. This affects Windows, Linux, and ESXi systems. The implementation flaw means victims cannot recover their data even if they pay ransom demands, making this particularly destructive malware.

Technical details

VECT 2.0 ransomware has a critical flaw that causes files larger than 131,072 bytes to be permanently destroyed rather than encrypted. The malware encrypts four independent chunks of large files using four random 12-byte nonces but only appends the final nonce to the encrypted file on disk. The first three nonces are generated, used, and discarded without storage, making recovery impossible even with payment. The ransomware uses ChaCha20-IETF encryption which requires both the 32-byte key and exact matching 12-byte nonce for each chunk. Windows variant includes anti-analysis targeting 44 security tools, safe-mode persistence, and lateral movement capabilities. ESXi variant implements geofencing and anti-debugging checks, attempts SSH lateral movement. Both ESXi and Linux versions check for CIS country execution and exit without encryption if detected.

Mitigation steps:

Focus on resilience rather than negotiation as paying ransom will not recover data. Implement offline backups, tested recovery procedures, and rapid containment. Do not rely on decryption as recovery strategy since decryption keys are destroyed during encryption process. Strengthen backup and disaster recovery capabilities.

Affected products:

Windows
Linux
ESXi

Related links:

https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
https://www.halcyon.ai/ransomware-alerts/emerging-ransomware-group-vect
https://www.cyfirma.com/news/weekly-intelligence-report-03-april-2026/
https://www.dsci.in/files/content/advisory/2026/threat-report-feb-2026.pdf
https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html
https://thehackernews.com/2026/04/weekly-recap-vercel-hack-push-fraud.html
https://developers.google.com/tink/aead

Related CVE's:

Related threat actors:

IOC's:

Files over 131KB permanently destroyed, ChaCha20-IETF encryption implementation, Safe-mode persistence mechanism, Registry modifications for auto-execution, SSH lateral movement attempts, Geofencing checks for CIS countries, Anti-analysis evasion targeting 44 security tools

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page