The VECT 2.0 ransomware has been found to have a critical flaw in its encryption mechanism, which transforms it into a data wiper capable of irreparably destroying large files across various operating systems.
The recent emergence of the VECT 2.0 ransomware has brought to light a devastating flaw in its encryption mechanism, which transforms it into a data wiper capable of irreparably destroying large files across various operating systems.
According to researchers, the issue lies in the way the ransomware handles encryption nonces, which are unique values used to ensure secure data transmission. The VECT 2.0 code utilizes a single memory buffer for nonce output across all chunk encryptions, resulting in each new nonce overwriting the previous one.
Once all chunks are processed, only the last nonce generated remains in memory, and it is written to disk. As a result, only about 25% of the file that was encrypted remains recoverable, with the remaining portions being impossible to decrypt due to lost nonces.
This flaw has significant implications for organizations and individuals who rely on their data being intact. Since most valuable enterprise files, including VM disks, database files, and backups, are above 128KB, VECT's impact as a data wiper can be catastrophic in most environments. In practice, even routine documents, spreadsheets, and mailboxes fall below this boundary.
Researchers at Check Point warn that the same nonce-handling flaw is present across all variants of the VECT 2.0 ransomware, including Windows, Linux, and ESXi, which means the data-wiping behavior applies to all cases.
The VECT 2.0 ransom note, which was discovered on one of the latest BreachForums iterations, invites registered users to become affiliates and distribute access keys via private messages. The threat group behind this ransomware, TeamPCP, has been linked to several high-profile supply-chain attacks in recent months.
TeamPCP's partnership with VECT 2.0 aims to exploit victims of those supply-chain compromises by deploying ransomware payloads in their environments and conducting larger supply-chain attacks against other organizations.
Check Point notes that since most valuable enterprise files are above 128KB, what the code classifies as a large file encompasses not just VM disks, databases, and backups but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary.
The researchers found that, due to the same nonce-handling flaw present across all variants of the VECT 2.0 ransomware, including Windows, Linux, and ESXi, the data-wiping behavior applies across all cases.
As a result, the only portion of the file that is recoverable is the last 25%, with the previous three parts being impossible to decrypt due to lost nonces. Those lost nonces aren’t transmitted to the attacker either, so even if VECT operators wanted to decrypt the files for victims paying the ransom, they wouldn’t be able to.
Check Point notes that the VECT 2.0 ransomware's impact as a data wiper can be catastrophic in most environments, with only a small portion of the file recoverable. At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups but routine documents, spreadsheets, and mailboxes.
As organizations struggle to understand the implications of this flaw, it's essential to recognize that 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes, leaving a wave of new exploits on the horizon.