Unstoppable VECT 2.0 Ransomware Decimates Files Larger than 131KB on Multiple Platforms

VECT 2.0: More Wiper Than Ransomware

Security experts are raising alarms about the VECT 2.0 cybercriminal operation, which behaves more like a data destruction tool than traditional ransomware due to a critical flaw in its encryption methods. This flaw renders recovery impossible, even for the attackers themselves, across Windows, Linux, and ESXi variants.

Unlike typical ransomware that encrypts files for ransom, VECT’s encryption process permanently destroys large files. This means that victims who pay the ransom will still be unable to retrieve their data, as the decryption keys are discarded by the malware during encryption.

Eli Smadja, group manager at Check Point Research, emphasized, “VECT is being marketed as ransomware, but for any file over 131KB, it functions as a data destruction tool.” This underscores the importance for organizations to focus on resilience measures such as offline backups and tested recovery procedures instead of relying on paying the ransom.

Originally launched as a ransomware-as-a-service (RaaS) operation in December 2025, VECT 2.0 offers an affiliate program with a triple-threat business model of “Exfiltration / Encryption / Extortion.” Affiliates are required to pay a $250 entry fee in Monero (XMR), with exceptions for applicants from Commonwealth of Independent States (CIS) countries.

Recent collaborations with cybercrime marketplace BreachForums and hacking group TeamPCP have further streamlined the ransomware operation, making it easier for affiliates to launch attacks by leveraging stolen data. This convergence of supply chain credential theft, RaaS operations, and dark web forum mobilization presents a new model of industrialized ransomware deployment.

Despite claims of using strong encryption methods, VECT 2.0 actually employs a weaker cipher without integrity protection, leading to the destruction of files larger than 131,072 bytes. The ransomware’s flawed design results in irreversible data loss, posing a significant threat to organizations.

The Windows version of VECT 2.0 includes anti-analysis features, safe-mode persistence mechanisms, and remote-execution capabilities for lateral spread. On the other hand, the ESXi variant enforces geofencing and anti-debugging checks, while the Linux version shares similar functionalities.

Interestingly, the geofencing feature of the ESXi variant excludes CIS countries from encryption, a departure from typical ransomware behavior. This anomaly raises questions about the origins of VECT’s codebase and the expertise level of its operators.

Check Point Research suggests that the operators of VECT may be novice actors, possibly utilizing AI-generated code in their ransomware operations. Despite its ambitious threat profile, VECT 2.0 falls short in technical implementation compared to its presentation.