VECT permanently destroys files over 128KB

Ransomware is supposed to lock data, hold the key hostage, and turn recovery into a payment decision. VECT 2.0 breaks that model. Check Point’s April 28 analysis says this new cross-platform strain is mangling files larger than 128 KB on Windows, Linux, and ESXi because of a bug in how it handles encryption nonces. That means a lot of victims would not be buying decryption at all — they would be paying after the data was already gone. (research.checkpoint.com) ### What is VECT 2.0? VECT 2.0 is being pitched as ransomware-as-a-service — basically a franchise model where operators supply the malware and affiliates deploy it. It has shown up on BreachForums recruiting affiliates, and Check Point says the operators also announced a partnership with TeamPCP, the group tied to recent supply-chain compromises involving Trivy, LiteLLM, and Telnyx, plus an attack on the European Commission. (bleepingcomputer.com) ### What’s actually broken? The malware splits “large” files into four encrypted chunks to speed things up. That part is normal enough. The problem is the nonce handling. VECT generates a fresh ChaCha20-IETF nonce for each chunk, but reuses the same memory buffer and only writes the last nonce to disk. The first three nonces get overwritten and vanish. Without those nonces, the first three chunks cannot be decrypted by anyone. (research.checkpoint.com) ### Why does 128 KB matter so much? Because 128 KB is tiny. Check Point puts the cutoff at 131,072 bytes. That is smaller than plenty of ordinary business files, not just giant server images. Once a file crosses that line, VECT treats it as “large,” encrypts four chunks, and then loses the metadata needed to reverse most of that wo(research.checkpoint.com)one. (research.checkpoint.com) ### Why is ESXi in the story? ESXi is VMware’s hypervisor — the layer that runs virtual machines. Hit that, and one compromised host can take down many servers at once. That is why Linux and ESXi lockers have become such valuable ransomware targets over the last few years. SentinelOne has shown how attackers increasingly go after h(research.checkpoint.com)rmal extortion event into something much closer to infrastructure sabotage. (research.checkpoint.com) ### Does this mean the attackers can’t decrypt either? Yes — and that is the ugly part. The lost nonces are not kept locally and are not sent back to the operators either. So if a victim pays, there may be no working path to restore those files. Dark Reading summed up the practical implication well: victims should think twice before assuming a decryptor exists just because a ransom note says one does. (bleepingcomputer.com) ### Is this a one-off bug or part of a bigger trend? The specific nonce bug looks like an implementation mistake. But the wider backdrop is real. Ransomware crews are fragmenting, rebranding fast, and pushing more Linux and ESXi tooling because it creates bigger operational damage with less effort. Cyble counted 57 new ransomware groups and 350-plus new strains in 2025, with Linux and ESXi targeting still growing into 2026. (cyble.com) ### So what should defenders take from this? The lesson is simple but brutal: do not assume “ransomware” means recoverable encryption. In this case it behaves more like a wiper for the files enterprises care about most — VM disks, databases, backups, mailboxes, and routine documents above the threshold. If restore plans depend on negotiating for a key, that plan is broken before the call starts. (bleepingcomputer.com) ### Bottom line? VECT 2.0 matters because it collapses the old bargain at the center of ransomware. The criminals still ask for money, but the code may have already destroyed the leverage. For defenders, that pushes the priority back where it always should have been — isolated backups, segmented backup access, and restore testing that assumes the decryptor never comes. (research.checkpoint.com)