"VECT's lockers permanently destroy large files rather than encrypting them," says Eli Smadja, Group Manager at Check Point Research. "That means even victims who pay the ransom cannot get their data back. The decryption keys simply don't exist. They were discarded at the moment of encryption by the malware itself. This impacts the files that matter most in an enterprise attack: VM disk images, databases, backups, and archives. For these file types, VECT is not ransomware. It is a data wiper with a ransom note attached."
VECT is being marketed as ransomware, but for any file over 131kb — which is most of what enterprises actually care about — it functions as a data destruction tool.
"What CISOs need to understand is that in a VECT incident, paying is not a recovery strategy, Smadja says. "There is no decrypter that can be handed over, not because the attackers are unwilling, but because the information required to build one was destroyed the moment their software ran.
In the event of a VECT attack, Smadja advises that the organisation's focus has to be on resilience: offline backups, tested recovery procedures, and rapid containment — not negotiation.
Other findings from the Check Point research team:
Prior industry reporting, including the group's own advertising, described VECT as using ChaCha20-Poly1305 AEAD encryption. CPR's analysis found this is incorrect. It uses a weaker, unauthenticated cipher with no integrity protection
CPR believes VECT is more likely the work of newcomers than experienced operators, and cannot rule out that parts of the codebase are AI-generated. An unusual geofencing detail suggests the code may be based on a leaked pre-2022 ransomware build rather than written from scratch as claimed.
The encryption flaw exists across all versions. Windows, Linux, and ESXi variants are all affected. The bug has been present since before the public 2.0 release and has never been fixed
A New Threat with an Ambitious Playbook
VECT emerged in late 2025 with an unusual ambition: rather than recruiting a small, vetted group of criminal partners in the traditional ransomware model, they opened their doors to everyone. Through a formal partnership with BreachForums, a major cybercrime marketplace, VECT distributed access to their ransomware platform to every registered member of the forum automatically. Thousands of potential operators, almost overnight.
At the same time, VECT announced a partnership with TeamPCP, the group responsible for a series of supply-chain attacks earlier this year that compromised popular software tools used by businesses worldwide. The stated goal, openly announced on BreachForums, was to use that existing access as a launchpad for ransomware attacks against companies already targeted by ransomware.
On paper, this looked like a serious and scalable threat. In practice, Check Point Research gained access to the affiliate panel and builder, analyzed all three payloads, and found something the group’s own operators may not know: their software is broken in a way that makes it far more destructive, and far less profitable, than intended.
Our researchers also believe VECT is more likely the work of newcomers than experienced ransomware operators. The pattern of errors, which are identical across every platform and uncorrected across every version, is not consistent with a seasoned group. The possibility that parts of the codebase were generated with AI assistance cannot be ruled out, and would help explain how a group could produce something that looks credible on the surface while containing fundamental mistakes underneath.
The Critical Flaw: It’s a Wiper, Not Ransomware
Ransomware is supposed to be reversible. The attacker locks your files, holds the key, and returns it when you pay. That’s the business model. VECT’s software breaks this model entirely, not by design, but by mistake.
When VECT encrypts large files, and virtually every file that matters to a business qualifies, it permanently discards the information needed to reverse the process. There is no key to hand back. The attacker cannot provide a working decryptor, not because they are unwilling, but because the means to decrypt no longer exists anywhere.
This affects the files ransomware groups typically use as their strongest leverage: virtual machine images, databases, backups, and archives. For these file types, VECT is not ransomware. It is a data wiper with a ransom note attached.
Check Point Research confirmed this flaw exists across all three versions of VECT’s software (Windows, Linux, and VMware ESXi) and has been present in every known version of the malware, including samples that predate the public 2.0 release. It has never been fixed.
Professional Appearance, Serious Gaps
VECT has invested heavily in looking legitimate. The affiliate panel is well-designed. The partnerships are real. The marketing is polished. But analysis of the actual code tells a different story.
Several features the group advertises to operators simply do not work. Encryption speed settings, offered as a way to balance speed and thoroughness, are accepted by the software and then silently ignored. Every attack runs identically regardless of what settings the operator chooses.
Security evasion tools designed to help VECT avoid detection were built and compiled into the software, but are never actually activated. Any security researcher can run VECT today with no evasive response from the malware itself.
These are not minor oversights. They are the kinds of errors that basic testing would catch, and they suggest a group that has prioritised the appearance of a professional operation over building one.
There is also evidence suggesting VECT may be built on a leaked ransomware codebase from before 2022, rather than being written from scratch as the group claims. A telling indicator is an unusual geofencing choice: VECT’s software is configured to avoid attacking targets in Ukraine, a country that most Russian-speaking ransomware groups stopped protecting after the 2022 war. Retaining that exclusion points to code inherited from an older source, not a deliberate ideological stance by the current operators.
What This Means for Your Organisation
If you’ve been hit:
Do not pay. For large files, which includes the vast majority of business-critical data, there is no functional decryptor and there never will be. Paying transfers money to criminals and returns nothing. Focus on recovery from clean backups and engage your incident response team immediately.
If you haven’t been hit:
VECT’s current limitations do not make it harmless. Data can still be exfiltrated before encryption runs. Systems still go down. And the flaws identified are correctable; a future version that fixes them, distributed through the same network that already has thousands of affiliates, would be significantly more dangerous. This group is worth watching.
Organizations with exposure to the recent TeamPCP supply-chain attacks, which targeted widely used developer tools including Trivy, KICS, LiteLLM, and Telnyx, should treat credential rotation as an immediate priority.
Check Point Threat Emulation and Harmony Endpoint provide full protection against all known VECT variants across Windows, Linux, and ESXi environments.
Indicators of Compromise