THREAT hunters flag VECT 2.0 as operating more like a wiper than a ransomware due to a critical flaw in its encryption across Windows, Linux and ESXi that makes recovery impossible, even for the attackers. The malware permanently destroys large files over 131KB by encrypting them in four chunks with four random 12-byte nonces, discarding the first three nonces and leaving only the final nonce on disk, meaning the vast majority of large files are unrecoverable.
Check Point Research notes that the ransomware’s decryption keys are discarded during encryption, so paying a ransom cannot restore data, and emphasizes resilience measures such as offline backups and tested recovery procedures. The operators market VECT 2.0 as a ransomware but, in practice, function as a data destruction tool for large files, according to Check Point Research.
The operation is a ransomware‑as‑a‑service (RaaS) with an affiliate programme launched in December 2025, and has formed partnerships with TeamPCP to broaden distribution, while at least two victims are listed on its data leak site. According to the Data Security Council of India (DSCI) analysis, new affiliates face a $250 entry fee paid in Monero, with the CIS exclusion indicating targeted recruitment from the CIS region.