INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Ransomware by design, Wiper by accident

| 2026-04-28 13:03 CRITICAL HIGH
JSON
Executive Summary AI-generated
Background VECT ransomware, a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum, has been observed removing Ukraine from the CIS countries list during times of conflict. This is an uncommon trend, suggesting that the code used by VECT may be AI-generated or based on outdated technology. The ransomware's ability to exfiltrate sensitive data and publish it online if not paid for demonstrates its potential impact. Its use as a wiper, permanently destroying large files rather than encrypting them, makes it particularly destructive in terms of data loss.
Technical Mitigations AI-generated
• The encryption implementation in VECT ransomware is flawed, specifically the decryption nonces are discarded for files above 131,072 bytes (128 KB), making it a wiper rather than encrypting data. • The cipher used by VECT is misidentified as ChaCha20-Poly1305 AEAD when it actually uses raw ChaCha20-IETF with no authentication and Poly1305 MAC without integrity protection. • The encryption speed modes advertised across Linux and ESXi variants are not implemented, leading to identical hardcoded thresholds for all platforms.
Technical Observables
http://vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion/chat/REDACTED
a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2
8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d
e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06
58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd
e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a
9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f
vmksummary.log
vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion
hostd.log
sdd.sf
issue.net
vobd.log
shell.log
yum.log
kern.log
cron.log
mail.err
user.log
vmkernel.log
bootmgfw.efi
vmkwarning.log
fbb.sf
dpkg.log
mail.log
boot.log
dnf.log
fdm.log
fdc.sf
auth.log
windows.old
boot.ini
audit.log
ufw.log
vpxa.log
bootsect.bak
bootmgr.efi
daemon.log
Recycle.Bin
reshacker.exe
procexp64.exe
SysInspector.exe
vector_notice.sh
procmon.exe
fiddler.exe
outlook.exe
idaw64.exe
advapi32.dll
joeboxserver.exe
sniff_hit.exe
winword.exe
scylla_x64.exe
firefox.exe
PETools.exe
x32dbg.exe
thunderbird.exe
ResourceHacker.exe
ImportREC.exe
processhacker.exe
ollydbg.exe
httpdebugger.exe
x64dbg.exe
sc.exe
oracle.exe
scylla.exe
regmon.exe
proc_analyzer.exe
idaw.exe
scylla_x86.exe
ConsoleHost_history.txt
idaq.exe
hookexplorer.exe
idag.exe
immunitydebugger.exe
ida64.exe
sql.exe
sysAnalyzer.exe
idag64.exe
x96dbg.exe
dumpcap.exe
joeboxcontrol.exe
procexp.exe
excel.exe
bcryptprimitives.dll
ida.exe
wireshark.exe
MegaDumper.exe
autoruns.exe
mysqld.exe
procmon64.exe
LordPE.exe
windbg.exe
autorunsc.exe
ntdll.dll
idaq64.exe
protection_id.exe
filemon.exe
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
WiperWiper
Target & Sectors
GCC GCC CIS CIS NORTH_AMERICA NORTH_AMERICA healthhealth defensedefense
Incident Timeline
‎December 2025
Russian Federation launched VECT Ransomware on December 2025.
target_region Russian Federation
Background VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum.
tactic Ransomware
Background VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum.
‎January 2026
The actor claimed their first two victims in January 2026 and subsequently announced a partnership with TeamPCP.
‎February 2026
The ransomware targets VMware ESXi hypervisors and employs geofencing before disrupting system services, wiping logs, and encrypting victim files.
tactic Ransomware
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
infrastructure Windows
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
Defense Evasion and Cleanup Action Method Disable Windows Defender Set-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning Delete shadow copies vssadmin delete shadows /all /quiet Clear event logs wevtutil cl Application, Security, System, Windows PowerShell Delete PowerShell history PSReadLine\\ConsoleHost_history.txt Delete recent file entries %APPDATA%\\Microsoft\\Windows\\Recent\\* Self-delete Delayed cmd /c with ping stall followed by forced deletion ESXi Locker – The Hypervisor Ransomware The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at /vmfs/volumes .
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
Windows Locker The Windows variant targets local, removable, and network-accessible storage, renames encrypted files with the .vect extension, drops a ransom note and a branded desktop wallpaper, and executes defense-evasion, persistence, and lateral-movement routines.
Here, an affiliate has the option to build three different payloads: Windows, Linux and ESXi (as well as a dedicated tool for data exfiltration, which is not yet available at the time of writing): Figure 5: VECT builder panel.
Lateral Movement The locker contains multiple encoded remote-execution script templates enabling propagation to additional Windows hosts using operator-supplied credentials ( --creds ).
Property Windows Linux ESXi Architecture PE64 (x86-64) ELF64 (x86-64)
This is incorrect as we confirmed that all three versions ( Windows , Linux , ESXi ) use the raw, unauthenticated ChaCha20 stream cipher in its IETF variant (RFC 8439) via libsodium’s crypto_stream_chacha20_ietf_xor .
The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll , forwarding to ProcessPrng in bcryptprimitives.dll ; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read() ), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten.
--no-stealth Disable self-delete --force-safemode Force safemode boot Figure 11: VECT 2.0 Windows version – command-line arguments processing.
Figure 12: VECT 2.0 Windows version – 48 threads for 8-CPU target.
Figure 13: The desktop wallpaper used by the VECT 2.0 Windows locker version.
The file selection logic skips the following to leave the operating system functional enough for the victim to access the payment portal: Excluded directories: Windows , Windows.old , Boot , $Recycle.
Process and Service Disruption When running with elevated privileges, the locker stops services via the Windows Service Control Manager and terminates the following processes to release file handles before encryption begins: sql.exe , oracle.exe , mysqld.exe , excel.exe , winword.exe , outlook.exe , firefox.exe , thunderbird.exe .
When --force-safemode is active, the locker executes bcdedit /set {default} safeboot minimal to configure the next boot into minimal safe mode, then writes its own executable path into the Windows registry under the safe-boot service load path with value "Service" .
Methods include: admin share file copy, Windows Credential Manager storage via cmdkey , WMI execution, DCOM/MMC application instantiation, remote scheduled task creation, remote service installation via sc.exe , and PowerShell remoting.
Host discovery combines Windows domain enumeration with a local subnet sweep using network adapter information.
Anti-Analysis The Windows variant implements three layered analyst-environment detection mechanisms.
An example XOR-based string decryption (Windows locker).
Kernel debug-object query The Windows native API NtQueryInformationProcess is resolved dynamically from ntdll.dll at runtime avoiding static import detection and queried for the ProcessDebugObjectHandle information class.
IOCs SHA-256 VECT Version a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 ESXi 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd ESXi e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06 Linux 8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d Windows 9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f Windows e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a Windows Appendix Analysis tools detected by Windows locker: ollydbg.exe x64dbg.exe x32dbg.exe windbg.exe x96dbg.exe ida.exe ida64.exe idag.exe idag64.exe idaw.exe idaw64.exe idaq.exe idaq64.exe immunitydebugger.exe ImportREC.exe MegaDumper.exe scylla.exe scylla_x64.exe scylla_x86.exe protection_id.exe reshacker.exe ResourceHacker.exe processhacker.exe procexp.exe procexp64.exe procmon.exe procmon64.exe autoruns.exe autorunsc.exe filemon.exe regmon.exe wireshark.exe dumpcap.exe hookexplorer.exe PETools.exe LordPE.exe SysInspector.exe proc_analyzer.exe sysAnalyzer.exe sniff_hit.exe joeboxcontrol.exe joeboxserver.exe fiddler.exe httpdebugger.exe Services targeted by Linux/ESXi locker: acronis acronis_agent aide amanda avast avg BackupExecAgent bareos-fd bitdefender borg carbonblack cassandra cb-sensor chkrootkit clamav clamav-daemon clamav-freshclam clamd cockroach consul couchdb cylance eset etcd falcon-sensor freshclam influxdb kaspersky kvm libvirtd lynis mariadb mariadbd mcafee memcached mongod mongodb mysql mysqld neo4j ossec postgres postgresql qemu rclone rdiff-backup redis redis-server restic rkhunter rsnapshot sentinelone sophos symantec syncthing tripwire vboxadd VBoxClient vboxdrv VBoxHeadless vboxservice VBoxService veeam VeeamDeploymentSvc virt-install virt-manager vmware vmware-authd vmware-hostd vmware-rawdiskCreator vmware-tray vmware-usbarbitrator vmware-user vmware-vmx vmware-vprobe wazuh wazuh-agent xen xenconsoled xend xenstored Logs targeted by Linux/ESXi locker: Log files: /var/log/syslog , /var/log/messages , /var/log/debug , /var/log/secure , /var/log/auth.log , /var/log/kern.log , /var/log/daemon.log , /var/log/user.log , /var/log/mail.log , /var/log/mail.err , /var/log/cron.log , /var/log/boot.log , /var/log/dmesg , /var/log/faillog , /var/log/lastlog , /var/log/tallylog , /var/log/wtmp , /var/log/btmp , /var/log/utmp , /var/run/utmp Rotate logs (Wildcards): /var/log/syslog.
infrastructure Linux
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
Here, an affiliate has the option to build three different payloads: Windows, Linux and ESXi (as well as a dedicated tool for data exfiltration, which is not yet available at the time of writing): Figure 5: VECT builder panel.
Property Windows Linux ESXi Architecture PE64 (x86-64) ELF64 (x86-64)
This is incorrect as we confirmed that all three versions ( Windows , Linux , ESXi ) use the raw, unauthenticated ChaCha20 stream cipher in its IETF variant (RFC 8439) via libsodium’s crypto_stream_chacha20_ietf_xor .
The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll , forwarding to ProcessPrng in bcryptprimitives.dll ; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read() ), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten.
IOCs SHA-256 VECT Version a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 ESXi 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd ESXi e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06 Linux 8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d Windows 9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f Windows e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a Windows Appendix Analysis tools detected by Windows locker: ollydbg.exe x64dbg.exe x32dbg.exe windbg.exe x96dbg.exe ida.exe ida64.exe idag.exe idag64.exe idaw.exe idaw64.exe idaq.exe idaq64.exe immunitydebugger.exe ImportREC.exe MegaDumper.exe scylla.exe scylla_x64.exe scylla_x86.exe protection_id.exe reshacker.exe ResourceHacker.exe processhacker.exe procexp.exe procexp64.exe procmon.exe procmon64.exe autoruns.exe autorunsc.exe filemon.exe regmon.exe wireshark.exe dumpcap.exe hookexplorer.exe PETools.exe LordPE.exe SysInspector.exe proc_analyzer.exe sysAnalyzer.exe sniff_hit.exe joeboxcontrol.exe joeboxserver.exe fiddler.exe httpdebugger.exe Services targeted by Linux/ESXi locker: acronis acronis_agent aide amanda avast avg BackupExecAgent bareos-fd bitdefender borg carbonblack cassandra cb-sensor chkrootkit clamav clamav-daemon clamav-freshclam clamd cockroach consul couchdb cylance eset etcd falcon-sensor freshclam influxdb kaspersky kvm libvirtd lynis mariadb mariadbd mcafee memcached mongod mongodb mysql mysqld neo4j ossec postgres postgresql qemu rclone rdiff-backup redis redis-server restic rkhunter rsnapshot sentinelone sophos symantec syncthing tripwire vboxadd VBoxClient vboxdrv VBoxHeadless vboxservice VBoxService veeam VeeamDeploymentSvc virt-install virt-manager vmware vmware-authd vmware-hostd vmware-rawdiskCreator vmware-tray vmware-usbarbitrator vmware-user vmware-vmx vmware-vprobe wazuh wazuh-agent xen xenconsoled xend xenstored Logs targeted by Linux/ESXi locker: Log files: /var/log/syslog , /var/log/messages , /var/log/debug , /var/log/secure , /var/log/auth.log , /var/log/kern.log , /var/log/daemon.log , /var/log/user.log , /var/log/mail.log , /var/log/mail.err , /var/log/cron.log , /var/log/boot.log , /var/log/dmesg , /var/log/faillog , /var/log/lastlog , /var/log/tallylog , /var/log/wtmp , /var/log/btmp , /var/log/utmp , /var/run/utmp Rotate logs (Wildcards): /var/log/syslog.
The Linux locker, just like its ESXi counterpart, supports the --spread SSH lateral movement functionality.
The same goes for the Linux variant we describe further below.
/issue Pre-login system banner /etc/issue.net Network login banner /etc/profile.d/vector_notice.sh Shell script displaying the note, ran on shell login Linux Locker The Linux version is built on the same codebase as the ESXi and implements a subset of its functionality.
This becomes apparent when comparing the execution flow of the main functions side-by-side: Figure 20: Execution flow ESXi locker (left) vs. Linux locker (right).
The Linux version also has another oversight in the implementation of the encryption.
infrastructure 2.0
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
--no-stealth Disable self-delete --force-safemode Force safemode boot Figure 11: VECT 2.0 Windows version – command-line arguments processing.
Figure 12: VECT 2.0 Windows version – 48 threads for 8-CPU target.
Figure 13: The desktop wallpaper used by the VECT 2.0 Windows locker version.
CPR’s analysis of an older ESXi variant identified in the wild prior to the 2.0 release confirms the identical four-chunk loop, quarter-offset calculation, shared nonce buffer, and single EOF nonce write – unchanged from the operator’s first publicly observed deployment through every known release.
The nonce-handling bug is identical across all three platform variants and as confirmed through analysis of an earlier variant identified in the wild prior to the VECT 2.0 release, has been present since the operator’s first publicly observed deployment.
general_metric 2.0 version
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
organisation Delete
Defense Evasion and Cleanup Action Method Disable Windows Defender Set-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning Delete shadow copies vssadmin delete shadows /all /quiet Clear event logs wevtutil cl Application, Security, System, Windows PowerShell Delete PowerShell history PSReadLine\\ConsoleHost_history.txt Delete recent file entries %APPDATA%\\Microsoft\\Windows\\Recent\\* Self-delete Delayed cmd /c with ping stall followed by forced deletion ESXi Locker – The Hypervisor Ransomware The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at /vmfs/volumes .
organisation The Hypervisor Ransomware
Defense Evasion and Cleanup Action Method Disable Windows Defender Set-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning Delete shadow copies vssadmin delete shadows /all /quiet Clear event logs wevtutil cl Application, Security, System, Windows PowerShell Delete PowerShell history PSReadLine\\ConsoleHost_history.txt Delete recent file entries %APPDATA%\\Microsoft\\Windows\\Recent\\* Self-delete Delayed cmd /c with ping stall followed by forced deletion ESXi Locker – The Hypervisor Ransomware The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at /vmfs/volumes .
organisation the VMware File System
Defense Evasion and Cleanup Action Method Disable Windows Defender Set-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning Delete shadow copies vssadmin delete shadows /all /quiet Clear event logs wevtutil cl Application, Security, System, Windows PowerShell Delete PowerShell history PSReadLine\\ConsoleHost_history.txt Delete recent file entries %APPDATA%\\Microsoft\\Windows\\Recent\\* Self-delete Delayed cmd /c with ping stall followed by forced deletion ESXi Locker – The Hypervisor Ransomware The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at /vmfs/volumes .
organisation Ransomware Cross-Platform Overview
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
organisation VMware
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
victims 2.0 targets
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
data_breach 32 byte
Because ChaCha20-IETF requires both the 32-byte key and the exact matching 12-byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone including the ransomware operator who cannot provide a working decryption tool even after ransom payment.
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
data_breach 12 byte
Because ChaCha20-IETF requires both the 32-byte key and the exact matching 12-byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone including the ransomware operator who cannot provide a working decryption tool even after ransom payment.
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
The _ietf designation refers specifically to the standardized 96-bit ( 12-byte ) nonce and 32-bit counter parameterization distinct from Bernstein’s original 64-bit nonce form.
Figure 8: Small file processing (single ChaCha20-IETF pass, 12-byte nonce appended at EOF).
The on-disk format contains only raw ciphertext followed by a 12-byte nonce – no MAC, no integrity protection, no authenticated encryption of any kind.
Figure 6: VECT’s per-chunk encryption helper – 12-byte nonce is generated by randombytes() and passed directly into crypto_stream_chacha20_ietf_xor.
The malware encrypts four independent chunks of each ” large file ” using four freshly generated random 12-byte nonces , but appends only the final nonce to the specific encrypted file on disk .
One 12-byte nonce is generated, used to encrypt the full file in-place, and appended to the end of the file.
The resulting on-disk layout is: [ ChaCha20-IETF ciphertext - full file ][ nonce - 12 bytes ]
The per-chunk encryption helper is called once per iteration and on every call it generates a fresh cryptographically random 12-byte nonce via libsodium’s randombytes() , writing it into a single shared output buffer passed by the caller.
In each case, the per-chunk encryption helper generates a fresh random nonce on every call and writes it into the same caller-supplied 12-byte buffer; all four iterations of the loop share this buffer; and a single 12-byte write to the end of the file follows the loop.
organisation KB
Yes – appended at EOF Last chunk only Large file – all bytes outside the four chunks N/A – not encrypted Plaintext, unchanged Files commonly exceeding 128 KB span virtually everything from typical office documents, spreadsheets, and images to virtual machine disk images, database files, archives, and backups – precisely those most critical to business continuity and most targeted by ransomware operators.
organisation SSH
The malware also supports SSH-based lateral movement, where the ransomware tries to use available credentials to connect to known SSH hosts.
organisation Anti-Analysis
Anti-Analysis and Geofencing Before executing any malicious code, the ransomware employs two simple anti-analysis checks:
organisation Check Point Research’s
Check Point Research’s analysis reveals that the ransomware’s encryption flaw is not a minor edge case but a fundamental design error affecting virtually every file of consequence.
organisation WMI
READ_ME!!!.txt Default target path All drives / /vmfs/volumes Lateral movement WMI / DCOM / SMB / SC / Schtasks / PSRemoting SSH / SCP SSH / SCP Geofencing / CIS bypass No Yes (locale + timezone)
organisation SSH / SCP Geofencing / CIS
READ_ME!!!.txt Default target path All drives / /vmfs/volumes Lateral movement WMI / DCOM / SMB / SC / Schtasks / PSRemoting SSH / SCP SSH / SCP Geofencing / CIS bypass No Yes (locale + timezone)
organisation Lateral Movement
Lateral Movement The locker contains multiple encoded remote-execution script templates enabling propagation to additional Windows hosts using operator-supplied credentials ( --creds ).
organisation SystemFunction036 / RtlGenRandom
The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll , forwarding to ProcessPrng in bcryptprimitives.dll ; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read() ), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten.
organisation ProcessPrng
The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll , forwarding to ProcessPrng in bcryptprimitives.dll ; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read() ), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten.
organisation Process and Service Disruption
Process and Service Disruption When running with elevated privileges, the locker stops services via the Windows Service Control Manager and terminates the following processes to release file handles before encryption begins: sql.exe , oracle.exe , mysqld.exe , excel.exe , winword.exe , outlook.exe , firefox.exe , thunderbird.exe .
organisation DCOM/MMC
Methods include: admin share file copy, Windows Credential Manager storage via cmdkey , WMI execution, DCOM/MMC application instantiation, remote scheduled task creation, remote service installation via sc.exe , and PowerShell remoting.
organisation Anti-Analysis The Windows
Anti-Analysis The Windows variant implements three layered analyst-environment detection mechanisms.
organisation XOR
An example XOR-based string decryption (Windows locker).
organisation Rotate
IOCs SHA-256 VECT Version a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 ESXi 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd ESXi e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06 Linux 8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d Windows 9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f Windows e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a Windows Appendix Analysis tools detected by Windows locker: ollydbg.exe x64dbg.exe x32dbg.exe windbg.exe x96dbg.exe ida.exe ida64.exe idag.exe idag64.exe idaw.exe idaw64.exe idaq.exe idaq64.exe immunitydebugger.exe ImportREC.exe MegaDumper.exe scylla.exe scylla_x64.exe scylla_x86.exe protection_id.exe reshacker.exe ResourceHacker.exe processhacker.exe procexp.exe procexp64.exe procmon.exe procmon64.exe autoruns.exe autorunsc.exe filemon.exe regmon.exe wireshark.exe dumpcap.exe hookexplorer.exe PETools.exe LordPE.exe SysInspector.exe proc_analyzer.exe sysAnalyzer.exe sniff_hit.exe joeboxcontrol.exe joeboxserver.exe fiddler.exe httpdebugger.exe Services targeted by Linux/ESXi locker: acronis acronis_agent aide amanda avast avg BackupExecAgent bareos-fd bitdefender borg carbonblack cassandra cb-sensor chkrootkit clamav clamav-daemon clamav-freshclam clamd cockroach consul couchdb cylance eset etcd falcon-sensor freshclam influxdb kaspersky kvm libvirtd lynis mariadb mariadbd mcafee memcached mongod mongodb mysql mysqld neo4j ossec postgres postgresql qemu rclone rdiff-backup redis redis-server restic rkhunter rsnapshot sentinelone sophos symantec syncthing tripwire vboxadd VBoxClient vboxdrv VBoxHeadless vboxservice VBoxService veeam VeeamDeploymentSvc virt-install virt-manager vmware vmware-authd vmware-hostd vmware-rawdiskCreator vmware-tray vmware-usbarbitrator vmware-user vmware-vmx vmware-vprobe wazuh wazuh-agent xen xenconsoled xend xenstored Logs targeted by Linux/ESXi locker: Log files: /var/log/syslog , /var/log/messages , /var/log/debug , /var/log/secure , /var/log/auth.log , /var/log/kern.log , /var/log/daemon.log , /var/log/user.log , /var/log/mail.log , /var/log/mail.err , /var/log/cron.log , /var/log/boot.log , /var/log/dmesg , /var/log/faillog , /var/log/lastlog , /var/log/tallylog , /var/log/wtmp , /var/log/btmp , /var/log/utmp , /var/run/utmp Rotate logs (Wildcards): /var/log/syslog.
organisation Wildcards
IOCs SHA-256 VECT Version a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 ESXi 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd ESXi e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06 Linux 8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d Windows 9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f Windows e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a Windows Appendix Analysis tools detected by Windows locker: ollydbg.exe x64dbg.exe x32dbg.exe windbg.exe x96dbg.exe ida.exe ida64.exe idag.exe idag64.exe idaw.exe idaw64.exe idaq.exe idaq64.exe immunitydebugger.exe ImportREC.exe MegaDumper.exe scylla.exe scylla_x64.exe scylla_x86.exe protection_id.exe reshacker.exe ResourceHacker.exe processhacker.exe procexp.exe procexp64.exe procmon.exe procmon64.exe autoruns.exe autorunsc.exe filemon.exe regmon.exe wireshark.exe dumpcap.exe hookexplorer.exe PETools.exe LordPE.exe SysInspector.exe proc_analyzer.exe sysAnalyzer.exe sniff_hit.exe joeboxcontrol.exe joeboxserver.exe fiddler.exe httpdebugger.exe Services targeted by Linux/ESXi locker: acronis acronis_agent aide amanda avast avg BackupExecAgent bareos-fd bitdefender borg carbonblack cassandra cb-sensor chkrootkit clamav clamav-daemon clamav-freshclam clamd cockroach consul couchdb cylance eset etcd falcon-sensor freshclam influxdb kaspersky kvm libvirtd lynis mariadb mariadbd mcafee memcached mongod mongodb mysql mysqld neo4j ossec postgres postgresql qemu rclone rdiff-backup redis redis-server restic rkhunter rsnapshot sentinelone sophos symantec syncthing tripwire vboxadd VBoxClient vboxdrv VBoxHeadless vboxservice VBoxService veeam VeeamDeploymentSvc virt-install virt-manager vmware vmware-authd vmware-hostd vmware-rawdiskCreator vmware-tray vmware-usbarbitrator vmware-user vmware-vmx vmware-vprobe wazuh wazuh-agent xen xenconsoled xend xenstored Logs targeted by Linux/ESXi locker: Log files: /var/log/syslog , /var/log/messages , /var/log/debug , /var/log/secure , /var/log/auth.log , /var/log/kern.log , /var/log/daemon.log , /var/log/user.log , /var/log/mail.log , /var/log/mail.err , /var/log/cron.log , /var/log/boot.log , /var/log/dmesg , /var/log/faillog , /var/log/lastlog , /var/log/tallylog , /var/log/wtmp , /var/log/btmp , /var/log/utmp , /var/run/utmp Rotate logs (Wildcards): /var/log/syslog.
data_breach 131,072 bytes
Small File Processing For files not exceeding 131,072 bytes ( 128 KB ), the entire content is encrypted in a single pass.
Large File Processing – The Flaw For files exceeding 131,072 bytes ( 128 KB ), VECT divides the file into four chunks at quarter-file offsets derived from the file size: Quarter size: file size divided by 4 Chunk start offsets: 0 , ¼ , ½ , ¾ of the file Chunk size per offset: up to 32,768 bytes ( 32 KB ), or the remaining file length if shorter The encryption loop processes each chunk in sequence.
Overview All three VECT 2.0 variants share a critical implementation flaw that causes any file larger than 131,072 bytes ( 128 KB , smaller even than a simple document ) to be permanently and irrecoverably destroyed rather than encrypted for later decryption.
The nonce flaw applies identically: files larger than 131,072 bytes ( 128 KB ) lose the first three chunk nonces permanently, thus resulting in large file destruction rather than encryption.
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
Every execution, regardless of operator-selected flag, applies the same hardcoded thresholds: 131,072-byte large-file boundary and 32,768-byte maximum chunk size.
organisation Small File Processing For
Small File Processing For files not exceeding 131,072 bytes ( 128 KB ), the entire content is encrypted in a single pass.
data_breach 32,768 bytes
Large File Processing – The Flaw For files exceeding 131,072 bytes ( 128 KB ), VECT divides the file into four chunks at quarter-file offsets derived from the file size: Quarter size: file size divided by 4 Chunk start offsets: 0 , ¼ , ½ , ¾ of the file Chunk size per offset: up to 32,768 bytes ( 32 KB ), or the remaining file length if shorter The encryption loop processes each chunk in sequence.
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
Every execution, regardless of operator-selected flag, applies the same hardcoded thresholds: 131,072-byte large-file boundary and 32,768-byte maximum chunk size.
organisation Large File Processing
Large File Processing – The Flaw For files exceeding 131,072 bytes ( 128 KB ), VECT divides the file into four chunks at quarter-file offsets derived from the file size: Quarter size: file size divided by 4 Chunk start offsets: 0 , ¼ , ½ , ¾ of the file Chunk size per offset: up to 32,768 bytes ( 32 KB ), or the remaining file length if shorter The encryption loop processes each chunk in sequence.
organisation Impact File
Impact File region Nonce on disk Recoverable Small file ≤ 128 KB – full content Yes – appended at EOF Fully Large file – chunk at offset 0 (up to 32 KB) No Permanently lost Large file – chunk at offset ¼ (up to 32 KB) No Permanently lost Large file – chunk at offset ½ (up to 32 KB) No Permanently lost Large file – chunk at offset ¾ (up to 32 KB)
organisation Shell
/issue Pre-login system banner /etc/issue.net Network login banner /etc/profile.d/vector_notice.sh Shell script displaying the note, ran on shell login Linux Locker The Linux version is built on the same codebase as the ESXi and implements a subset of its functionality.
organisation Command-Line Interface
Command-Line Interface and SSH lateral movement
organisation Cipher ChaCha20-IETF
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
organisation ChaCha20-IETF
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
financial 4 offset formula
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
organisation Bernstein’s
The _ietf designation refers specifically to the standardized 96-bit ( 12-byte ) nonce and 32-bit counter parameterization distinct from Bernstein’s original 64-bit nonce form.
organisation EOF
Figure 8: Small file processing (single ChaCha20-IETF pass, 12-byte nonce appended at EOF).
organisation LockBit
Families like LockBit cap their pools at 1-2× CPU count for good reason; spawning six times as many threads as there are CPUs does not encrypt files faster ; it simply means the operating system spends more time switching between threads than doing useful work.
organisation CPU
The encryption engine spawns worker threads in a fixed 1:7 scanner-to-encryptor ratio derived from a CPU-count-tiered multiplier : ×8 for machines with up to 4 CPUs , ×6 for 5-8 CPUs , and ×4 beyond that , hard-capped at 256 total .
organisation ProgramData
Bin , System Volume Information , Program Files , Program Files (x86) , ProgramData Excluded boot files: bootmgr , bootmgr.efi , bootmgfw.efi , bootsect.bak , boot.ini , ntldr Excluded extensions: .exe , .dll , .sys
organisation Shell & command
* , /var/log/secure* , /var/log/kern.log.* , /var/log/*.gz , /var/log/*.1 , /var/log/*.old , /var/log/cron* , /var/log/ufw.log* , /var/log/firewalld* , /var/log/audit/audit.log* , /var/log/dpkg.log* , /var/log/yum.log* , /var/log/dnf.log* , /var/log/apt/* , /var/log/cloud-init*.log Application specific logs: /var/log/apache2/* , /var/log/httpd/* , /var/log/nginx/* , /var/log/mysql/* , /var/log/postgresql/* , /var/log/mongodb/* , /var/log/redis/* , /var/log/docker/* , /var/log/containers/* , /var/log/pods/* , /var/log/journal/* , /run/log/journal/* , /tmp/*.log , /var/tmp/*.log Shell & command history files: .bash_history , .zsh_history , .mysql_history , .psql_history , .python_history , .lesshst , .viminfo , /root/.ash_history (ESXi locker only) ESXi specific logs: /var/log/vmkernel.log , /var/log/vmkwarning.log , /var/log/vmksummary.log , /var/log/hostd.log , /var/log/vpxa.log , /var/log/fdm.log , /var/log/shell.log , /var/log/syslog , /var/log/vobd.log , /var/log/vmware/* Ransom Note: !!!
organisation TracerPid
Yes (locale + timezone) Anti-debug Process scan + kernel object query TracerPid check TracerPid check Encryption mode flags N/A Parsed, not implemented Parsed, not implemented Nonce Flaw – “Large File” Destruction Correct Cryptographic Identification Before describing the flaw, a correction to existing public reporting is warranted.
organisation Cross-Platform Confirmation The
Cross-Platform Confirmation The flaw is structurally identical across all three platform variants.
organisation VMDK
The ESXi variant also performs a zero-block check before each encryption call, where chunks consisting entirely of zero bytes are skipped (an optimization for sparse VMDK files).
organisation Command-Line Interface and
Command-Line Interface and Default Behavior The locker exposes the following operator options: -h, --help
organisation Default Behavior
Command-Line Interface and Default Behavior The locker exposes the following operator options: -h, --help
organisation GPO
GPO spread, network mounting, and self-deletion are all on by default .
organisation Group Policy
An operator deploying without flags, for example via Group Policy or a remote execution primitive, activates the full impact chain automatically, including spread, hidden volume access, and post-execution cleanup.
organisation File Encryption and Renaming Each
File Encryption and Renaming Each target file is renamed to append .vect before encryption.
organisation Target Selection and
Target Selection and Exclusions Drive enumeration covers logical drives and network-mapped resources.
organisation x64dbg
Parent process check The parent process image path is retrieved and matched against a list of debugging environments: devenv , windbg , x64dbg , x32dbg , ollydbg , ida .
organisation ssh Service Disruption
If the --spread option is supplied, the malware tries to spread laterally like an SSH based worm: All readable keys from the home and /root directories are extracted /etc/ssh/ssh_config and ~/.ssh/config are read and parsed for any hostnames and corresponding usernames All known_hosts files are zeroed out to avoid any host-key warnings For each host, the locker tries to connect with each of the collected usernames as well as a hardcoded list of common usernames If a connection succeeds, the malware copies itself over via scp and executes itself via ssh Service Disruption, Log Wiping and Encryption Before running any encryption, the malware makes sure to shut down any services that could hold any file locks or could otherwise interfere with the process.
organisation VMware File System
After this prelude, the actual encryption process is kicked off: If no path is supplied, the default path of /vmfs/volumes is used, which is the default VMware File System (VMFS) mount point for all datastores.
organisation ASCII
On a side note, even the ASCII art is broken because the developers forgot to escape the backslash characters: Figure 22: Broken ASCII art.
organisation Dear Management
=============== ::: ::: :::::::::: :::::::: ::::::::::: :+: :+: :+: :+: :+: :+: +:+ +:+ +:+ +:+ +:+ +#+ +:+ +#++:++# +#+ +#+ +#+ +#+ +#+ +#+ +#+ #+#+#+# #+# #+# #+# #+# ### ########## ######## ### =============== Dear Management, all of your files have been encrypted with ChaCha20 which is an unbreakable encryption algorithm.
organisation ChaCha20
=============== ::: ::: :::::::::: :::::::: ::::::::::: :+: :+: :+: :+: :+: :+: +:+ +:+ +:+ +:+ +:+ +#+ +:+ +#++:++# +#+ +#+ +#+ +#+ +#+ +#+ +#+ #+#+#+# #+# #+# #+# #+# ### ########## ######## ### =============== Dear Management, all of your files have been encrypted with ChaCha20 which is an unbreakable encryption algorithm.
data_breach 16 byte
The ChaCha20-Poly1305 AEAD construction appends a 16-byte Poly1305 authentication tag to each ciphertext.
data_breach 4 small files
Receive a sample decryption of up to 4 small files 4.
‎March 2026
VECT announced a partnership with BreachForums, allowing registered users to become affiliates and use VECT ransomware.
organisation VECT
Shortly after these attacks made headlines, VECT made a post on BreachForums , announcing their partnership with TeamPCP , with the goal to exploit the companies affected by those supply chain attacks.
organisation BreachForums
Shortly after these attacks made headlines, VECT made a post on BreachForums , announcing their partnership with TeamPCP , with the goal to exploit the companies affected by those supply chain attacks.
‎2026/04/28
The ransomware, VECT: Ransomware by design, Wiper by accident, exploits a critical flaw in its encryption implementation that allows it to target files larger than 131,072 bytes.
organisation Ransomware
VECT: Ransomware by design, Wiper by accident.
organisation Check Point Research
Key Takeaways Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them .
financial 2.0 ransomware
Key Takeaways Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them .
infrastructure Windows
A critical flaw in the encryption implementation, identical across all three platform variants ( Windows , Linux , ESXi ), discards three of four decryption nonces for every file above 131,072 bytes ( 128 KB ).
Three platforms , one flawed engine : Windows , Linux , and ESXi variants share an identical encryption design built on libsodium , with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout, confirming a single codebase ported across platforms.
infrastructure Linux
A critical flaw in the encryption implementation, identical across all three platform variants ( Windows , Linux , ESXi ), discards three of four decryption nonces for every file above 131,072 bytes ( 128 KB ).
Three platforms , one flawed engine : Windows , Linux , and ESXi variants share an identical encryption design built on libsodium , with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout, confirming a single codebase ported across platforms.
The --fast , --medium , and --secure flags present across Linux and ESXi variants are parsed and then silently ignored .
data_breach 131,072 bytes
A critical flaw in the encryption implementation, identical across all three platform variants ( Windows , Linux , ESXi ), discards three of four decryption nonces for every file above 131,072 bytes ( 128 KB ).
organisation Target
<dir> Target directory (default: /vmfs/volumes) --spread Enable SSH lateral movement --fast Fast mode: encrypt only 1MB --medium Medium mode: encrypt 4 parts (64MB each) --secure Secure mode: encrypt 100% (default) --no-kill-vms Don't kill running VMs (encrypt only) --verbose
organisation MB
<dir> Target directory (default: /vmfs/volumes) --spread Enable SSH lateral movement --fast Fast mode: encrypt only 1MB --medium Medium mode: encrypt 4 parts (64MB each) --secure Secure mode: encrypt 100% (default) --no-kill-vms Don't kill running VMs (encrypt only) --verbose
data_breach 64 MB
<dir> Target directory (default: /vmfs/volumes) --spread Enable SSH lateral movement --fast Fast mode: encrypt only 1MB --medium Medium mode: encrypt 4 parts (64MB each) --secure Secure mode: encrypt 100% (default) --no-kill-vms Don't kill running VMs (encrypt only) --verbose
organisation CPR
CPR confirmed this flaw is present across all publicly available VECT versions.
organisation MAC
There is no Poly1305 MAC and no integrity protection.
‎April 2026
The incident is attributed to a partnership between two cybersecurity firms, VECT and Ransomwarebytes.
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
Windows Locker The Windows variant targets local, removable, and network-accessible storage, renames encrypted files with the .vect extension, drops a ransom note and a branded desktop wallpaper, and executes defense-evasion, persistence, and lateral-movement routines.
Defense Evasion and Cleanup Action Method Disable Windows Defender Set-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning Delete shadow copies vssadmin delete shadows /all /quiet Clear event logs wevtutil cl Application, Security, System, Windows PowerShell Delete PowerShell history PSReadLine\\ConsoleHost_history.txt Delete recent file entries %APPDATA%\\Microsoft\\Windows\\Recent\\* Self-delete Delayed cmd /c with ping stall followed by forced deletion ESXi Locker – The Hypervisor Ransomware The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at /vmfs/volumes .
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
Here, an affiliate has the option to build three different payloads: Windows, Linux and ESXi (as well as a dedicated tool for data exfiltration, which is not yet available at the time of writing): Figure 5: VECT builder panel.
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
Lateral Movement The locker contains multiple encoded remote-execution script templates enabling propagation to additional Windows hosts using operator-supplied credentials ( --creds ).
A critical flaw in the encryption implementation, identical across all three platform variants ( Windows , Linux , ESXi ), discards three of four decryption nonces for every file above 131,072 bytes ( 128 KB ).
Three platforms , one flawed engine : Windows , Linux , and ESXi variants share an identical encryption design built on libsodium , with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout, confirming a single codebase ported across platforms.
Property Windows Linux ESXi Architecture PE64 (x86-64) ELF64 (x86-64)
This is incorrect as we confirmed that all three versions ( Windows , Linux , ESXi ) use the raw, unauthenticated ChaCha20 stream cipher in its IETF variant (RFC 8439) via libsodium’s crypto_stream_chacha20_ietf_xor .
The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll , forwarding to ProcessPrng in bcryptprimitives.dll ; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read() ), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten.
--no-stealth Disable self-delete --force-safemode Force safemode boot Figure 11: VECT 2.0 Windows version – command-line arguments processing.
Figure 12: VECT 2.0 Windows version – 48 threads for 8-CPU target.
Figure 13: The desktop wallpaper used by the VECT 2.0 Windows locker version.
The file selection logic skips the following to leave the operating system functional enough for the victim to access the payment portal: Excluded directories: Windows , Windows.old , Boot , $Recycle.
Process and Service Disruption When running with elevated privileges, the locker stops services via the Windows Service Control Manager and terminates the following processes to release file handles before encryption begins: sql.exe , oracle.exe , mysqld.exe , excel.exe , winword.exe , outlook.exe , firefox.exe , thunderbird.exe .
When --force-safemode is active, the locker executes bcdedit /set {default} safeboot minimal to configure the next boot into minimal safe mode, then writes its own executable path into the Windows registry under the safe-boot service load path with value "Service" .
Methods include: admin share file copy, Windows Credential Manager storage via cmdkey , WMI execution, DCOM/MMC application instantiation, remote scheduled task creation, remote service installation via sc.exe , and PowerShell remoting.
Host discovery combines Windows domain enumeration with a local subnet sweep using network adapter information.
Anti-Analysis The Windows variant implements three layered analyst-environment detection mechanisms.
An example XOR-based string decryption (Windows locker).
Kernel debug-object query The Windows native API NtQueryInformationProcess is resolved dynamically from ntdll.dll at runtime avoiding static import detection and queried for the ProcessDebugObjectHandle information class.
IOCs SHA-256 VECT Version a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 ESXi 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd ESXi e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06 Linux 8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d Windows 9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f Windows e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a Windows Appendix Analysis tools detected by Windows locker: ollydbg.exe x64dbg.exe x32dbg.exe windbg.exe x96dbg.exe ida.exe ida64.exe idag.exe idag64.exe idaw.exe idaw64.exe idaq.exe idaq64.exe immunitydebugger.exe ImportREC.exe MegaDumper.exe scylla.exe scylla_x64.exe scylla_x86.exe protection_id.exe reshacker.exe ResourceHacker.exe processhacker.exe procexp.exe procexp64.exe procmon.exe procmon64.exe autoruns.exe autorunsc.exe filemon.exe regmon.exe wireshark.exe dumpcap.exe hookexplorer.exe PETools.exe LordPE.exe SysInspector.exe proc_analyzer.exe sysAnalyzer.exe sniff_hit.exe joeboxcontrol.exe joeboxserver.exe fiddler.exe httpdebugger.exe Services targeted by Linux/ESXi locker: acronis acronis_agent aide amanda avast avg BackupExecAgent bareos-fd bitdefender borg carbonblack cassandra cb-sensor chkrootkit clamav clamav-daemon clamav-freshclam clamd cockroach consul couchdb cylance eset etcd falcon-sensor freshclam influxdb kaspersky kvm libvirtd lynis mariadb mariadbd mcafee memcached mongod mongodb mysql mysqld neo4j ossec postgres postgresql qemu rclone rdiff-backup redis redis-server restic rkhunter rsnapshot sentinelone sophos symantec syncthing tripwire vboxadd VBoxClient vboxdrv VBoxHeadless vboxservice VBoxService veeam VeeamDeploymentSvc virt-install virt-manager vmware vmware-authd vmware-hostd vmware-rawdiskCreator vmware-tray vmware-usbarbitrator vmware-user vmware-vmx vmware-vprobe wazuh wazuh-agent xen xenconsoled xend xenstored Logs targeted by Linux/ESXi locker: Log files: /var/log/syslog , /var/log/messages , /var/log/debug , /var/log/secure , /var/log/auth.log , /var/log/kern.log , /var/log/daemon.log , /var/log/user.log , /var/log/mail.log , /var/log/mail.err , /var/log/cron.log , /var/log/boot.log , /var/log/dmesg , /var/log/faillog , /var/log/lastlog , /var/log/tallylog , /var/log/wtmp , /var/log/btmp , /var/log/utmp , /var/run/utmp Rotate logs (Wildcards): /var/log/syslog.
Metrics
financial
2
Ransomware
Key Takeaways Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them .
Metrics
infrastructure
‎Linux
Affected Product
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
Here, an affiliate has the option to build three different payloads: Windows, Linux and ESXi (as well as a dedicated tool for data exfiltration, which is not yet available at the time of writing): Figure 5: VECT builder panel.
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
The Linux locker, just like its ESXi counterpart, supports the --spread SSH lateral movement functionality.
A critical flaw in the encryption implementation, identical across all three platform variants ( Windows , Linux , ESXi ), discards three of four decryption nonces for every file above 131,072 bytes ( 128 KB ).
The --fast , --medium , and --secure flags present across Linux and ESXi variants are parsed and then silently ignored .
Three platforms , one flawed engine : Windows , Linux , and ESXi variants share an identical encryption design built on libsodium , with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout, confirming a single codebase ported across platforms.
Property Windows Linux ESXi Architecture PE64 (x86-64) ELF64 (x86-64)
This is incorrect as we confirmed that all three versions ( Windows , Linux , ESXi ) use the raw, unauthenticated ChaCha20 stream cipher in its IETF variant (RFC 8439) via libsodium’s crypto_stream_chacha20_ietf_xor .
The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll , forwarding to ProcessPrng in bcryptprimitives.dll ; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read() ), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten.
The same goes for the Linux variant we describe further below.
/issue Pre-login system banner /etc/issue.net Network login banner /etc/profile.d/vector_notice.sh Shell script displaying the note, ran on shell login Linux Locker The Linux version is built on the same codebase as the ESXi and implements a subset of its functionality.
This becomes apparent when comparing the execution flow of the main functions side-by-side: Figure 20: Execution flow ESXi locker (left) vs. Linux locker (right).
The Linux version also has another oversight in the implementation of the encryption.
IOCs SHA-256 VECT Version a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 ESXi 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd ESXi e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06 Linux 8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d Windows 9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f Windows e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a Windows Appendix Analysis tools detected by Windows locker: ollydbg.exe x64dbg.exe x32dbg.exe windbg.exe x96dbg.exe ida.exe ida64.exe idag.exe idag64.exe idaw.exe idaw64.exe idaq.exe idaq64.exe immunitydebugger.exe ImportREC.exe MegaDumper.exe scylla.exe scylla_x64.exe scylla_x86.exe protection_id.exe reshacker.exe ResourceHacker.exe processhacker.exe procexp.exe procexp64.exe procmon.exe procmon64.exe autoruns.exe autorunsc.exe filemon.exe regmon.exe wireshark.exe dumpcap.exe hookexplorer.exe PETools.exe LordPE.exe SysInspector.exe proc_analyzer.exe sysAnalyzer.exe sniff_hit.exe joeboxcontrol.exe joeboxserver.exe fiddler.exe httpdebugger.exe Services targeted by Linux/ESXi locker: acronis acronis_agent aide amanda avast avg BackupExecAgent bareos-fd bitdefender borg carbonblack cassandra cb-sensor chkrootkit clamav clamav-daemon clamav-freshclam clamd cockroach consul couchdb cylance eset etcd falcon-sensor freshclam influxdb kaspersky kvm libvirtd lynis mariadb mariadbd mcafee memcached mongod mongodb mysql mysqld neo4j ossec postgres postgresql qemu rclone rdiff-backup redis redis-server restic rkhunter rsnapshot sentinelone sophos symantec syncthing tripwire vboxadd VBoxClient vboxdrv VBoxHeadless vboxservice VBoxService veeam VeeamDeploymentSvc virt-install virt-manager vmware vmware-authd vmware-hostd vmware-rawdiskCreator vmware-tray vmware-usbarbitrator vmware-user vmware-vmx vmware-vprobe wazuh wazuh-agent xen xenconsoled xend xenstored Logs targeted by Linux/ESXi locker: Log files: /var/log/syslog , /var/log/messages , /var/log/debug , /var/log/secure , /var/log/auth.log , /var/log/kern.log , /var/log/daemon.log , /var/log/user.log , /var/log/mail.log , /var/log/mail.err , /var/log/cron.log , /var/log/boot.log , /var/log/dmesg , /var/log/faillog , /var/log/lastlog , /var/log/tallylog , /var/log/wtmp , /var/log/btmp , /var/log/utmp , /var/run/utmp Rotate logs (Wildcards): /var/log/syslog.
Metrics
infrastructure
‎2.0
Software Version
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors.
CPR’s analysis of an older ESXi variant identified in the wild prior to the 2.0 release confirms the identical four-chunk loop, quarter-offset calculation, shared nonce buffer, and single EOF nonce write – unchanged from the operator’s first publicly observed deployment through every known release.
--no-stealth Disable self-delete --force-safemode Force safemode boot Figure 11: VECT 2.0 Windows version – command-line arguments processing.
Figure 12: VECT 2.0 Windows version – 48 threads for 8-CPU target.
Figure 13: The desktop wallpaper used by the VECT 2.0 Windows locker version.
The nonce-handling bug is identical across all three platform variants and as confirmed through analysis of an earlier variant identified in the wild prior to the VECT 2.0 release, has been present since the operator’s first publicly observed deployment.
Metrics
victims
2
Targets
Ransomware Cross-Platform Overview As detailed in the following sections, VECT 2.0 targets Windows , Linux , and VMware ESXi through three distinct variants built on a shared codebase.
Metrics
data_breach
32
Byte
Because ChaCha20-IETF requires both the 32-byte key and the exact matching 12-byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone including the ransomware operator who cannot provide a working decryption tool even after ransom payment.
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
Metrics
data_breach
12
Byte
Because ChaCha20-IETF requires both the 32-byte key and the exact matching 12-byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone including the ransomware operator who cannot provide a working decryption tool even after ransom payment.
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
The _ietf designation refers specifically to the standardized 96-bit ( 12-byte ) nonce and 32-bit counter parameterization distinct from Bernstein’s original 64-bit nonce form.
Figure 8: Small file processing (single ChaCha20-IETF pass, 12-byte nonce appended at EOF).
The on-disk format contains only raw ciphertext followed by a 12-byte nonce – no MAC, no integrity protection, no authenticated encryption of any kind.
Figure 6: VECT’s per-chunk encryption helper – 12-byte nonce is generated by randombytes() and passed directly into crypto_stream_chacha20_ietf_xor.
The malware encrypts four independent chunks of each ” large file ” using four freshly generated random 12-byte nonces , but appends only the final nonce to the specific encrypted file on disk .
One 12-byte nonce is generated, used to encrypt the full file in-place, and appended to the end of the file.
The resulting on-disk layout is: [ ChaCha20-IETF ciphertext - full file ][ nonce - 12 bytes ]
The per-chunk encryption helper is called once per iteration and on every call it generates a fresh cryptographically random 12-byte nonce via libsodium’s randombytes() , writing it into a single shared output buffer passed by the caller.
In each case, the per-chunk encryption helper generates a fresh random nonce on every call and writes it into the same caller-supplied 12-byte buffer; all four iterations of the loop share this buffer; and a single 12-byte write to the end of the file follows the loop.
Metrics
data_breach
64
Mb
<dir> Target directory (default: /vmfs/volumes) --spread Enable SSH lateral movement --fast Fast mode: encrypt only 1MB --medium Medium mode: encrypt 4 parts (64MB each) --secure Secure mode: encrypt 100% (default) --no-kill-vms Don't kill running VMs (encrypt only) --verbose
Metrics
data_breach
131,072
Bytes
A critical flaw in the encryption implementation, identical across all three platform variants ( Windows , Linux , ESXi ), discards three of four decryption nonces for every file above 131,072 bytes ( 128 KB ).
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
Small File Processing For files not exceeding 131,072 bytes ( 128 KB ), the entire content is encrypted in a single pass.
Large File Processing – The Flaw For files exceeding 131,072 bytes ( 128 KB ), VECT divides the file into four chunks at quarter-file offsets derived from the file size: Quarter size: file size divided by 4 Chunk start offsets: 0 , ¼ , ½ , ¾ of the file Chunk size per offset: up to 32,768 bytes ( 32 KB ), or the remaining file length if shorter The encryption loop processes each chunk in sequence.
Overview All three VECT 2.0 variants share a critical implementation flaw that causes any file larger than 131,072 bytes ( 128 KB , smaller even than a simple document ) to be permanently and irrecoverably destroyed rather than encrypted for later decryption.
The nonce flaw applies identically: files larger than 131,072 bytes ( 128 KB ) lose the first three chunk nonces permanently, thus resulting in large file destruction rather than encryption.
Every execution, regardless of operator-selected flag, applies the same hardcoded thresholds: 131,072-byte large-file boundary and 32,768-byte maximum chunk size.
Metrics
financial
4
Offset Formula
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
Metrics
data_breach
32,768
Bytes
Toolchain MinGW-w64 / C++ GCC / C++ GCC / C++ Crypto library libsodium (static) libsodium (static) libsodium (static) Cipher ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) ChaCha20-IETF (RFC 8439) Key size 32 bytes 32 bytes 32 bytes Nonce size 12 bytes 12 bytes 12 bytes Small file threshold 131,072 bytes 131,072 bytes 131,072 bytes Large file chunks 4 4 4 Chunk offset formula file_size / 4 × index file_size / 4 × index file_size / 4 × index Max chunk size 32,768 bytes 32,768 bytes 32,768 bytes Nonces written to disk 1 (last chunk only) 1 (last chunk only) 1 (last chunk only)
Large File Processing – The Flaw For files exceeding 131,072 bytes ( 128 KB ), VECT divides the file into four chunks at quarter-file offsets derived from the file size: Quarter size: file size divided by 4 Chunk start offsets: 0 , ¼ , ½ , ¾ of the file Chunk size per offset: up to 32,768 bytes ( 32 KB ), or the remaining file length if shorter The encryption loop processes each chunk in sequence.
Every execution, regardless of operator-selected flag, applies the same hardcoded thresholds: 131,072-byte large-file boundary and 32,768-byte maximum chunk size.
Metrics
data_breach
16
Byte
The ChaCha20-Poly1305 AEAD construction appends a 16-byte Poly1305 authentication tag to each ciphertext.
Metrics
data_breach
4
Small Files
Receive a sample decryption of up to 4 small files 4.
Intelligence Sources
Zero Day Fans 2026-04-28
Zero Day Fans 2026-04-28