CHECK Point Research has analysed VECT 2.0, a ransomware-as-a-service that targets Windows, Linux and ESXi with a shared codebase, but presents itself with a professional facade that belies a flawed implementation.
The study finds that VECT uses ChaCha20-IETF (RFC 8439) without authentication, not ChaCha20-Poly1305 as some reports claimed, and that a critical flaw causes large files (over 128 KB) to be destroyed rather than recoverable, since only the final 12-byte nonce is stored on disk while the first three nonces are discarded.
For large files, the four chunks are encrypted with four distinct nonces but only the last nonce is preserved, making decryption impossible for the first three chunks and effectively rendering most large files unrecoverable. The research notes that the flags advertised for different encryption speeds are parsed but ignored, and that all three platform variants share the same flaw and the same 131,072-byte threshold.
VECT's operators have built partnerships, including with BreachForums and TeamPCP, and announced cloud lockers, while the analysis highlights a lack of cryptographic maturity despite an affiliate-based distribution model. The article was published on 28 April 2026.