Back

Vect 2.0 Ransomware Functions as Data Wiper, Not Encryptor

Severity: High (Score: 69.9)

Sources: www.secure.com, Gbhackers, Scworld, Cybersecuritynews, Theregister

Summary

The Vect 2.0 ransomware, emerging from a partnership with the TeamPCP group, has been found to irreversibly destroy files larger than 128 KB instead of encrypting them for ransom. This critical flaw, identified by Check Point Research, affects all three variants targeting Windows, Linux, and VMware ESXi systems. The ransomware discards essential decryption information during its operation, rendering recovery impossible even if victims pay the ransom. Vect was first noted in December 2025 and gained notoriety for its aggressive marketing and affiliate program on BreachForums. As of April 2026, the ransomware has reportedly impacted multiple organizations, particularly those involved in supply chain operations. Analysts warn that paying the ransom is futile, as the necessary decryption keys are lost during the attack. The situation is exacerbated by the ransomware's amateur coding, which includes multiple additional flaws and non-functional features. Organizations are advised to focus on resilience and recovery strategies rather than negotiating with attackers. Key Points: • Vect 2.0 ransomware destroys files over 128 KB, making recovery impossible. • The ransomware operates under a flawed encryption model, discarding critical decryption data. • Paying the ransom is futile, as no functional decryptor exists for affected files.

Key Entities

  • TeamPCP (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Ransomware (attack_type)
  • Supply Chain Attack (attack_type)
  • TeamPCP Supply-chain Campaign (campaign)
  • Aqua Security (company)
  • Checkmarx (company)
  • Guesty (company)
  • S&P Global (company)
  • Telnyx (company)
  • LiteLLM (tool)
  • Trivy (tool)
  • Checkmarx KICS (tool)
  • Libsodium (tool)
  • Ransomware Builder (tool)
  • Brazil (country)
  • Colombia (country)
  • Egypt (country)
  • India (country)
  • Italy (country)
  • Cwe-326 - Inadequate Encryption Strength (cwe)
  • secure.com (domain)
  • Healthcare (industry)
  • Manufacturing (industry)
  • Technology (industry)
  • Nitrogen (ransomware_group)
  • Vect (ransomware_group)
  • VECT 2.0 (ransomware_group)
  • VECT 2.0 Ransomware (ransomware_group)
  • Vectr (ransomware_group)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.004 - SSH (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1070.001 - Clear Windows Event Logs (mitre_attack)
  • T1070 - Indicator Removal (mitre_attack)
  • ESXi (platform)
  • Linux (platform)
  • VMware ESXi (platform)
  • Windows (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed