Severe technical flaw discovered in VECT 2.0 ransomware makes decryption impossible

Researchers have identified a critical technical flaw in the VECT 2.0 ransomware. According to available information, instead of encrypting large files, the malware irreversibly destroys them, making data recovery impossible even in cases where the ransom is paid.

It is noted that VECT 2.0 operates under the ransomware-as-a-service (RaaS) model and targets Windows, Linux and ESXi systems. The malware attempts to encrypt files larger than 131 KB by dividing them into four separate chunks. However, due to the improper handling of encryption nonces during the encryption process, the information required to recover the first three chunks is permanently lost. Since only the nonce associated with the final chunk is written to disk, only approximately 25 percent of the file can theoretically be recovered.

According to the findings, the lost nonces are neither stored within the system nor transmitted to the attackers. This means that VECT operators are unable to provide a functional decryption tool even to victims who choose to pay the ransom. Due to this characteristic, VECT 2.0 is assessed to function more as a data destruction tool rather than a conventional ransomware operation.

Experts emphasize that the 131 KB threshold is exceptionally low for modern corporate environments. Most enterprise-critical files, including virtual machine disk files, databases, backups, mailboxes, spreadsheets and standard office documents exceed this size. Consequently, VECT 2.0 infections pose a significant risk of irreversible data loss for organizations.

The Windows variant of the malware targets files across local, removable and network-accessible storage environments. In addition, it includes capabilities designed to evade analysis and security tools, establish persistence through Windows Safe Mode and facilitate lateral movement within the network. The Linux and ESXi variants are based on a similar codebase, while the ESXi version additionally implements geofencing and anti-debugging mechanisms.

Researchers assess that the VECT operators appear to be novice cybercriminals rather than experienced threat actors. In their view, although the project is presented as a professional ransomware operation, its technical implementation is significantly flawed, causing it to function more as a destructive data wiper than a traditional ransomware strain.