7 Critical Flaws in VECT Ransomware: How a Promising RaaS Became a Self-Destructing Wiper

In late 2025, a new ransomware-as-a-service (RaaS) called VECT emerged on Russian-language cybercrime forums, quickly gaining attention through a controversial partnership with the supply-chain attack group TeamPCP and a deal with BreachForums that made every registered user an affiliate. Yet beneath the professional marketing, Check Point Research discovered a catastrophic encryption flaw that renders VECT incapable of actually recovering files—even for the attackers themselves. This isn't just a bug; it's a fundamental design failure that turns what was supposed to be ransomware into a destructive wiper for any file larger than 128 KB. Here are the seven critical flaws you need to know about.

1. The 128 KB Threshold That Dooms Data Recovery

VECT is built around a flawed encryption engine that permanently destroys large files instead of encrypting them. For every file exceeding 131,072 bytes (128 KB), the implementation discards three out of four decryption nonces—critical pieces of data needed to reverse the encryption. This means even the ransomware operators themselves cannot restore these files. Since most meaningful data—documents, databases, VM disks, backups—exceeds 128 KB, VECT effectively acts as a wiper for nearly all enterprise assets. Check Point confirmed this flaw across all publicly available VECT versions, making recovery impossible regardless of victim cooperation or ransom payment.

2. Misidentified Cipher: No Authentication, No Integrity

Contrary to multiple threat intelligence reports and VECT's own advertisements, the ransomware does not use ChaCha20-Poly1305 AEAD. Instead, it employs raw ChaCha20-IETF (RFC 8439) with no authentication whatsoever. The Poly1305 MAC—essential for verifying data integrity and preventing tampering—is entirely absent. This misidentification is not just a technical detail; it means encrypted files have zero integrity protection. Attackers cannot guarantee that decrypted data hasn't been altered, and victims cannot verify the authenticity of recovered files. This fundamental cryptographic mistake further undermines any pretense of professional design.

3. Fake Performance Flags: --fast, --medium, --secure Silently Ignored

VECT advertises configurable encryption speed modes through command-line flags like --fast, --medium, and --secure on Linux and ESXi variants. However, these flags are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection. This deceptive behavior suggests either an incomplete feature or a deliberate misrepresentation to appear sophisticated. For affiliates and victims, it means no performance tuning is possible, and the encryption process cannot be accelerated or slowed as circumstances demand.

4. One Flawed Engine Across Three Platforms

VECT targets Windows, Linux, and ESXi systems, but all three variants share a single encryption engine built on libsodium. The same file-size thresholds, identical four-chunk logic, and the same nonce-handling flaw appear across every platform. This confirms that VECT is a ported codebase, not a tailored solution. The unity of the flaw means that no matter which system is attacked—a Windows workstation, a Linux server, or an ESXi hypervisor—the destructive outcome is the same. Organizations with heterogeneous environments gain no protection by mixing platforms; all are equally vulnerable to the wiper effect.

5. Professional Façade, Amateur Execution: Multiple Additional Bugs

Beyond the critical nonce flaw, Check Point identified numerous other bugs and design failures. These include self-cancelling string obfuscation (where obfuscation routines undermine their own purpose), permanently unreachable anti-analysis code (code paths that can never execute), and a thread scheduler that actively degrades encryption performance rather than improving it. These amateurish mistakes undermine VECT's attempt to appear as a sophisticated RaaS. They also make analysis easier for defenders and increase the likelihood of operational failures during an attack.

6. The TeamPCP Partnership: Amplifying Supply-Chain Risks

VECT gained notoriety through a partnership with TeamPCP, the actor behind supply-chain attacks that injected malware into popular software packages like Trivy, Checkmarx’ KICS, LiteLLM, and Telnyx in March 2026. These attacks affected a large base of downstream consumers. After these attacks made headlines, VECT announced the partnership on BreachForums, aiming to exploit companies already compromised by the supply-chain incidents. This alliance means VECT affiliates could gain access to pre-compromised networks, accelerating the ransomware lifecycle and increasing the destructive impact of the wiper flaw.

7. BreachForums Integration: Democratizing Ransomware Access

In an unprecedented move, VECT announced a partnership with BreachForums itself, promising that every registered forum user would become an affiliate. This grants users access to the VECT ransomware builder, negotiation platform, and leak site—all without typical vetting processes. While this expands VECT's reach, it also floods the ecosystem with unskilled operators who may be unaware of the wiper flaw. The result is a high volume of attacks that permanently destroy data, increasing collateral damage and diminishing any chance of recovery even if ransoms are paid.

Conclusion: VECT ransomware is a cautionary tale of how even a well-marketed RaaS can be undone by critical implementation flaws. The nonce-handling bug turns every encrypted file over 128 KB into a permanent loss, while misidentified ciphers, fake performance options, and amateur coding further erode trust. Combined with the TeamPCP and BreachForums partnerships, VECT represents a dangerous but ultimately self-defeating threat—one that destroys data it promises to return, making it more a wiper than a ransomware.