'VECT is being marketed as ransomware...but it functions as a data destruction tool': Experts warn this "broken" ransomware is now acting as a data wiper, so protect your files now

News
By published

New ransomware variant destroys everything bigger than 128kb

Ransomware
(Image credit: Pixabay)
  • A new ransomware variant was found to function as a destructive data wiper
  • Flawed nonce handling causes files larger than 128 KB to be permanently lost
  • Despite being marketed as RaaS, victims cannot recover data even if they pay

VECT 2.0, a relatively new ransomware variant that’s being offered for sale on dark web forums, is actually broken and works as a data wiper instead of an encryptor, researchers are warning.

In a new in-depth report, cybersecurity outfit Check Point explained that the problem is in the way VECT 2.0 handles “nonces” - random values needed to correctly encrypt, and later decrypt the data. Apparently, the malware splits large files into chunks, but instead of using new memory space for each nonce, it reuses the same, thus overwriting the previous one.

In other words, it loses the “keys” for most parts of the file as it goes along. Only the last part of the file can be recovered, while the rest is permanently destroyed. So even if the victims decide to pay the ransom demand, they still won’t be able to recover their files, nor would the threat actors be able to help with that even if they wanted to.

Article continues below

Teaming up with TeamPCP

To make matters worse, what the encryptor considers a “large file” is also wrong. Check Point says that everything above 128kb, which is laughably small by today’s standards, will end up being wiped.

“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point warned.

VECT has reportedly been advertising itself on dark web forums lately, offering a Ransomware-as-a-Service model and inviting affiliates and teaming up with TeamPCP, a relatively young threat actor that has already made a name for itself with successful attacks against Trivy, LiteLLM, Telnyx, and the European Commission.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.