VECT ransomware targets ESXi hosts

Ransomware is supposed to lock files and then sell the key back. VECT 2.0 breaks that bargain. The malware, which Check Point dissected on April 28, 2026, hits Windows, Linux, and VMware ESXi systems — but a coding flaw means many of the files it touches are not encrypted in a recoverable way at all. They are effectively wiped. ### What is VECT, exactly? VECT is a ransomware-as-a-service operation — basically a criminal franchise. Check Point traced its first public appearance to December 2025 on a Russian-language cybercrime forum, with the group claiming its first victims in January 2026. The operators pitched affiliates, a negotiation platform, and a leak site, which is the usual modern ransomware bundle. ### Why are ESXi hosts the scary part? An ESXi host is the hypervisor that runs many virtual machines on one physical server. Hit that layer, and you do not just lose one box — you can lose dozens or hundreds of workloads in one shot. That is why ransomware crews keep going after hypervisors, and why a broken encrypted backup images. ### What went wrong in VECT’s code? The bug is in how VECT handles ChaCha20 nonces for larger files. For files above roughly 128 KB, the malware splits data into chunks but reuses the same memory buffer for nonce output. Each new chunk overwrites the previous nonce, and only the last one gets saved. That means the information needed to decrypt most of the file is gone for good. ### So can victims recover by paying? Basically, no — at least not for those larger files. Check Point’s point was blunt: even the attackers cannot restore what their own malware has destroyed, because the missing nonce data is never preserved or sent anywhere. BleepingComputer’s summary of the research says only the last 25% of an affected large file remains recoverable, with the earlier portions unrecoverable. ### Does this affect only ESXi? No. The same flaw shows up across the Windows, Linux, and ESXi variants. But ESXi gets the headline because virtualization concentrates risk. The files most likely to exceed the 128 KB threshold are also the files organizations care about most in a ransomware event — virtual disks, databases, archives, and backups. ### Why is this showing up now? VECT got extra attention because the operators tried to scale fast. Check Point says the group advertised broadly for affiliates and also announced a partnership with TeamPCP, the actor tied to several March 2026 supply-chain attacks involving tools like Trivy, KICS, LiteLLM, and ### What should defenders take from this? The main lesson is weird but important: a sloppy ransomware crew can be more destructive than a competent one. If VECT hits an ESXi environment, the usual “maybe we can negotiate” logic