A significant flaw has been discovered in the Vect 2.0 ransomware, which causes it to wipe large files instead of encrypting them, rendering recovery impossible. This flaw was identified by Check Point Research during an investigation into the latest version of the ransomware. Vect is a ransomware-as-a-service (RaaS) program that has been active since December 2025 and has gained notoriety through partnerships with other cybercriminal groups.
Vect 2.0 was launched in February 2026 and is written in C++, supporting Windows, Linux, and VMware ESXi systems. The ransomware was allegedly built from scratch and includes features such as cloud lockers targeting various cloud storage services. However, the encryption implementation contains a critical flaw that discards three out of four decryption nonces, leading to the permanent destruction of files larger than 128 KB.
The encryption system uses raw ChaCha20-IETF without authentication, contrary to the advertised ChaCha20-Poly1305 AEAD. This lack of integrity protection effectively turns Vect into a wiper for files containing important data, including virtual machine disks, databases, and backups. The flaw is present across all publicly available versions of Vect and affects all targeted platforms.
Check Point Research also identified several additional bugs and design failures in Vect 2.0, such as ineffective string obfuscation and a thread scheduler that degrades performance. Despite its ambitious threat profile and multi-platform coverage, the technical implementation of Vect 2.0 falls short of its claims.
Organizations using Windows, Linux, or VMware ESXi systems should ensure their security measures are up to date to protect against ransomware threats. It is advisable to implement additional protective measures and regularly back up critical data to mitigate the impact of potential ransomware attacks.
Source: https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/