Bright Nexus

Published on April 29, 2026

New VECT 2.0 Ransomware Destroys Files Over 128 KB Across Windows, Linux, and ESXi

Severity

Medium

Detail

A newly identified ransomware strain, VECT 2.0, is raising serious concern across the cybersecurity community due to a critical design flaw that makes it far more destructive than typical ransomware. Instead of reliably encrypting files for ransom, it permanently corrupts any file larger than 128 KB, effectively turning the attack into irreversible data destruction.

The malware operates under a Ransomware-as-a-Service model and has expanded rapidly across Windows, Linux, and VMware ESXi environments.

How?

The VECT campaign began gaining traction after its emergence on underground forums in late 2025, followed by rapid evolution into version 2.0 in early 2026. Its distribution model became more dangerous after collaborations with groups like TeamPCP and exposure on BreachForums, where affiliates were given open access to deploy the ransomware without strict vetting. This dramatically lowered the barrier to entry, enabling a wider pool of attackers to launch campaigns.

Once executed on a victim system, VECT 2.0 begins encrypting files using the ChaCha20-IETF cipher via the libsodium library. Files are renamed with a “.vect” extension, and a ransom note titled “!!!READ_ME!!!.txt” is dropped.

However, the attack chain reveals a major flaw. For files larger than 128 KB, the malware splits them into four chunks and encrypts each chunk separately. During this process, it generates a new random nonce (a required value for decryption) for each chunk. Instead of securely storing all nonces, the malware overwrites them in a shared memory buffer, leaving only the final nonce intact.

This breaks the entire decryption process. Since proper decryption with ChaCha20 requires the exact nonce used for each chunk, the first three portions of every large file become permanently unrecoverable. The missing nonces are never saved locally or transmitted to the attacker’s server, meaning even the attackers themselves cannot restore the data.

As a result, critical assets such as databases, virtual machine disks, backups, and enterprise documents are effectively destroyed rather than held hostage. This flaw exists across all variants of VECT 2.0 and was present even before its official release, indicating poor development practices.

Conclusion

VECT 2.0 represents a dangerous shift where ransomware can unintentionally—or effectively—act as a data wiper, eliminating any possibility of recovery regardless of ransom payment.

Organizations must prioritize strong defensive measures, including maintaining offline and air-gapped backups, monitoring for mass file modifications and suspicious system changes, and validating third-party software dependencies. Given its links to broader supply chain threats, preventing initial access is just as critical as detecting the ransomware itself.

Source

https://cybersecuritynews.com/new-vect-2-0-ransomware-destroys-files/