Back

VECT 2.0 Ransomware Compromises File Recovery for Victims

Severity: High (Score: 68.0)

Sources: Morphisec, www.morphisec.com, Gbhackers, Cybersecuritynews

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: vect, ransomware, files, recovery, leave, even, decryptor

Severity indicators: ransomware

Summary

VECT 2.0 ransomware has emerged as a significant threat, leaving victims unable to recover files even with the attackers' decryptor. This ransomware employs a flawed design that discards nonces for earlier parts of large files, leading to incomplete encryption and damaged files. The Windows-specific implementation introduces additional errors, such as buffer-size mismatches and inconsistent file processing. As a result, files can be renamed with a .vect suffix while remaining partially encrypted or entirely damaged. Ordinary business documents, PDFs, and databases are at risk, as VECT targets accessible folders while excluding certain system directories. Morphisec highlights the need for prevention-first security to combat this ransomware effectively. The situation is critical, as the ransomware's design flaws hinder recovery efforts even after ransom payment. Key Points: • VECT 2.0 ransomware can leave files irreparably damaged, even with a decryptor. • The ransomware exploits design flaws that affect large file encryption and processing. • Victims may pay the ransom but still face significant data loss due to implementation errors.

Detailed Analysis

**Impact** Victims of VECT 2.0 ransomware include organizations with accessible business data such as documents, PDFs, archives, backups, databases, and virtual disks on Windows systems. The ransomware’s flawed encryption process can leave files renamed, partially encrypted, or corrupted beyond recovery, even when using the attacker’s own decryptor. This results in permanent data loss and operational disruption, particularly affecting sectors reliant on large file storage and backup integrity. No specific geographic or sectoral data is provided. **Technical Details** VECT 2.0 targets Windows environments by scanning accessible folders while excluding system directories and executable files (.exe, .dll, .sys). It renames files with a .vect suffix before encrypting, but due to design flaws—such as loss of nonces for large files and buffer-size mismatches—files may be only partially encrypted or corrupted. Concurrent processing race conditions cause inconsistent file states. The ransomware uses ChaCha20 encryption with a 12-byte nonce appended as minimal metadata. No CVEs or infrastructure details are mentioned. **Recommended Response** Defenders should prioritize prevention technologies capable of blocking VECT’s execution and file modifications, as recovery is unreliable. Monitoring for unexpected file renaming with a .vect suffix and partial file encryption patterns is advised. No patches or specific CVEs are identified; therefore, focus should be on endpoint detection and response (EDR) solutions that detect anomalous file access and encryption behaviors. Organizations should maintain offline backups and validate their integrity regularly.

Source articles (5)

  • VECT: Ransomware That Can’t Decrypt — Morphisec · 2026-06-04
    VECT ransomware can leave files renamed, partially encrypted or permanently damaged, even when attackers provide a decryptor. Learn how Windows-specific flaws create recovery challenges and why preven…
  • VECT 2.0 Ransomware Breaks Files Beyond Its Own Recovery — Gbhackers · 2026-06-05
    VECT 2.0 ransomware can leave victims with files that even the attacker’s own decryptor cannot reliably restore. While researchers previously exposed a cross-platform design flaw that discards nonces…
  • VECT 2.0 Ransomware Breaks Files Beyond Its Own Recovery — Gbhackers · 2026-06-05
    VECT 2.0 ransomware can leave victims with files that even the attacker’s own decryptor cannot reliably restore. While researchers previously exposed a cross-platform design flaw that discards nonces…
  • VECT 2.0 Ransomware Can Damage Files Its Own Decryptor Cannot Reliably Restore — Cybersecuritynews · 2026-06-05
    A new ransomware strain called VECT 2.0 is raising serious concerns among security professionals, and for a troubling reason — even if a victim pays the ransom, the attacker’s own decryptor may not fu…
  • According to Morphisec — www.morphisec.com · 2026-06-05

Timeline

  • 2026-06-04 — Morphisec analysis published: Morphisec published findings on VECT ransomware's flaws, emphasizing the need for prevention-first security measures.
  • 2026-06-05 — VECT 2.0 ransomware identified: Security researchers reported that VECT 2.0 can damage files beyond recovery, even with the attackers' decryptor.

Related entities

  • Ransomware (Attack Type)
  • Cisco (Company)
  • Microsoft (Company)
  • Dashlane (Tool)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-362 - Race Condition (Cwe)
  • Brickstorm (Malware)
  • Vect (Ransomware Group)
  • VECT 2.0 (Ransomware Group)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • Catalyst Sd-wan Manager (Platform)
  • Microsoft Edge (Platform)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed