VECT 2.0 ransomware has been found to wipe large, compromised files instead of merely encrypting them, making recovery impossible for organisations and even the attackers, due to a critical flaw in its encryption implementation. The bug, described by researchers as an unintended coding error, was discovered by Check Point Research when inspecting the latest version of the malware.
The flaw discards three of four decryption nonces and uses a raw ChaCha20-IETF cipher with no authentication, rather than ChaCha20-Poly1305 AEAD as claimed, leaving no integrity protection and effectively turning Vect into a data wiper for files including VM disks, databases, documents and backups.
The issue affects all three targeted platforms—Windows, Linux and ESXi—and arises across publicly available variants, with a consistent four-chunk design and a 131,072 byte threshold above which files are permanently destroyed. Vect was first seen in December 2025 and was described as a ransomware-as-a-service, with Check Point noting a partnership with BreachForums and TeamPCP that they said is in effect as of April 2026.
According to Check Point researchers, the flaws undermine the ransomware’s claimed multi-platform capabilities and affiliate programme, revealing a much stronger data-destructive threat in practice.