TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Check Point Research

VECT: Ransomware by design, Wiper by accident

[email protected] · 2026-04-28 · Read original ↗

ATT&CK techniques detected

49 predictions
T1486Data Encrypted for Impact
99%
“later decryption. the malware encrypts four independent chunks of each ” large file ” using four freshly generated random 12 - byte nonces, but appends only the final nonce to the specific encrypted file on disk. the first three nonces, each required to decrypt its respective chu…”
T1486Data Encrypted for Impact
99%
“span virtually everything from typical office documents, spreadsheets, and images to virtual machine disk images, database files, archives, and backups – precisely those most critical to business continuity and most targeted by ransomware operators. for this dominant file class, …”
T1486Data Encrypted for Impact
99%
“features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all. beyond the nonce flaw, cpr identified a pattern of incomplete implementation : advertised encryption modes that are parsed but never applied, string obfuscation …”
T1486Data Encrypted for Impact
98%
“ransom notes are written to disk. the linux locker, just like its esxi counterpart, supports the - - spread ssh lateral movement functionality. due to the shared codebase, the locker also fails to save the first three nonces when encrypting large files, making fill recovery of bi…”
T1486Data Encrypted for Impact
98%
“you will receive decryption tool warning : - do not modify encrypted files - do not use third party software to restore files - do not reinstall system if you violate these rules, your files will be permanently damaged. files encrypted : [ n ] total size : [ size ] bytes unique i…”
T1486Data Encrypted for Impact
98%
“##5 mac and no integrity protection. advertised encryption speed modes are not implemented. the - - fast, - - medium, and - - secure flags present across linux and esxi variants are parsed and then silently ignored. every execution applies identical hardcoded thresholds regardles…”
T1486Data Encrypted for Impact
97%
“vect : ransomware by design, wiper by accident key takeaways check point research discovers that the vect 2. 0 ransomware permanently destroys “ large files ” rather than encrypting them. a critical flaw in the encryption implementation, identical across all three platform varian…”
T1486Data Encrypted for Impact
96%
“decided to implement strings as stack strings. some strings, most notably the different command line options, are additionally xored with a single byte key : command - line interface and ssh lateral movement the following command line options are available : - - path < dir > targ…”
T1486Data Encrypted for Impact
96%
“pass. one 12 - byte nonce is generated, used to encrypt the full file in - place, and appended to the end of the file. the resulting on - disk layout is : [ chacha20 - ietf ciphertext - full file ] [ nonce - 12 bytes ] for this size class, the format is internally consistent and …”
T1679Selective Exclusion
95%
“minor edge case but a fundamental design error affecting virtually every file of consequence. at a threshold of only 128 kb, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just vm disks, databases, and backups,…”
T1486Data Encrypted for Impact
94%
“minor edge case but a fundamental design error affecting virtually every file of consequence. at a threshold of only 128 kb, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just vm disks, databases, and backups,…”
T1486Data Encrypted for Impact
93%
“##20 - ietf scheme described in the preceding section. the nonce flaw applies identically : files larger than 131, 072 bytes ( 128 kb ) lose the first three chunk nonces permanently, thus resulting in large file destruction rather than encryption. the encryption engine spawns wor…”
T1486Data Encrypted for Impact
92%
“platform confirmation the flaw is structurally identical across all three platform variants. in each case, the per - chunk encryption helper generates a fresh random nonce on every call and writes it into the same caller - supplied 12 - byte buffer ; all four iterations of the lo…”
T1486Data Encrypted for Impact
91%
“this prelude, the actual encryption process is kicked off : if no path is supplied, the default path of / vmfs / volumes is used, which is the default vmware file system ( vmfs ) mount point for all datastores. in a multi - threaded process, each datastore is searched for files t…”
T1059.012Hypervisor CLI
90%
“interfere with the process. it starts by disabling the esxi firewall via the esxcli utility, as well as specific firewall rulesets and shutting down various esxi health monitoring processes : afterwards, it proceeds with shutting down other services and processes, like databases,…”
T1486Data Encrypted for Impact
90%
“##pcp supply chain attacks : the vect ransomware is written in c + + and, with version 2. 0 released in february 2026, vect supports windows and linux hosts as well as esxi hypervisors. the group claims to have built all three lockers from scratch. additionally, a forum post ment…”
T1486Data Encrypted for Impact
90%
“vect 2. 0 targets windows, linux, and vmware esxi through three distinct variants built on a shared codebase. while platform - specific disruption logic differs, the core encryption engine is identical across all three, a design decision that ensures the flaw described in the nex…”
T1486Data Encrypted for Impact
89%
“ida. a process launched from any of these is treated as running under analysis. kernel debug - object querythe windows native api ntqueryinformationprocess is resolved dynamically from ntdll. dll at runtime avoiding static import detection and queried for the processdebugobjectha…”
T1688Safe Mode Boot
88%
“efi, bootmgfw. efi, bootsect. bak, boot. ini, ntldr excluded extensions :. exe,. dll,. sys these represent the builder defaults ; affiliates may configure additional exclusions at sample generation time. process and service disruption when running with elevated privileges, the lo…”
T1486Data Encrypted for Impact
88%
“. this is a textbook mistake made by developers who read about parallelism but skipped the part about profiling. the fact that it is shipped in a supposedly operational ransomware tool speaks volumes about the maturity of whoever is behind this project. ransom note and wallpaper …”
T1486Data Encrypted for Impact
87%
“again, the thread count is chosen rather excessively, by multiplying the amount of cpu cores by 4, clamping the value between a minimum of 32 and a maximum of 256. by sharing a codebase with the other versions, see encryption process is the same and contains the same flaw in its …”
T1685.006Clear Linux or Mac System Logs
86%
“/ log / messages. *, / var / log / auth. log. *, / var / log / auth. log *, / var / log / secure. *, / var / log / secure *, / var / log / kern. log. *, / var / log / *. gz, / var / log / *. 1, / var / log / *. old, / var / log / cron *, / var / log / ufw. log *, / var / log / fi…”
T1490Inhibit System Recovery
86%
“vect : ransomware by design, wiper by accident key takeaways check point research discovers that the vect 2. 0 ransomware permanently destroys “ large files ” rather than encrypting them. a critical flaw in the encryption implementation, identical across all three platform varian…”
T1685.006Clear Linux or Mac System Logs
84%
“##s appendix analysis tools detected by windows locker : services targeted by linux / esxi locker : logs targeted by linux / esxi locker : log files : / var / log / syslog, / var / log / messages, / var / log / debug, / var / log / secure, / var / log / auth. log, / var / log / k…”
T1486Data Encrypted for Impact
82%
“after claiming their first two victims in january 2026, the group got back into the public eye due to an announcement of a partnership with teampcp, the actor behind several supply - chain attacks in march 2026. these attacks injected malware into popular software packages such a…”
T1564.006Run Virtual Instance
78%
“##pcp supply chain attacks : the vect ransomware is written in c + + and, with version 2. 0 released in february 2026, vect supports windows and linux hosts as well as esxi hypervisors. the group claims to have built all three lockers from scratch. additionally, a forum post ment…”
T1654Log Enumeration
77%
“##s appendix analysis tools detected by windows locker : services targeted by linux / esxi locker : logs targeted by linux / esxi locker : log files : / var / log / syslog, / var / log / messages, / var / log / debug, / var / log / secure, / var / log / auth. log, / var / log / k…”
T1685.006Clear Linux or Mac System Logs
76%
“var / log / mysql / *, / var / log / postgresql / *, / var / log / mongodb / *, / var / log / redis / *, / var / log / docker / *, / var / log / containers / *, / var / log / pods / *, / var / log / journal / *, / run / log / journal / *, / tmp / *. log, / var / tmp / *. log shel…”
T1486Data Encrypted for Impact
68%
“##bsodium ’ s crypto _ stream _ chacha20 _ ietf _ xor. the _ ietf designation refers specifically to the standardized 96 - bit ( 12 - byte ) nonce and 32 - bit counter parameterization distinct from bernstein ’ s original 64 - bit nonce form. the chacha20 - poly1305 aead construc…”
T1564.006Run Virtual Instance
67%
“this prelude, the actual encryption process is kicked off : if no path is supplied, the default path of / vmfs / volumes is used, which is the default vmware file system ( vmfs ) mount point for all datastores. in a multi - threaded process, each datastore is searched for files t…”
T1679Selective Exclusion
61%
“this prelude, the actual encryption process is kicked off : if no path is supplied, the default path of / vmfs / volumes is used, which is the default vmware file system ( vmfs ) mount point for all datastores. in a multi - threaded process, each datastore is searched for files t…”
T1685.006Clear Linux or Mac System Logs
57%
“/ var / log / vpxa. log, / var / log / fdm. log, / var / log / shell. log, / var / log / syslog, / var / log / vobd. log, / var / log / vmware / * ransom note :!!! readme!!! = = = = = = = = = = = = = = = : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : + : …”
T1491.001Internal Defacement
56%
“. this is a textbook mistake made by developers who read about parallelism but skipped the part about profiling. the fact that it is shipped in a supposedly operational ransomware tool speaks volumes about the maturity of whoever is behind this project. ransom note and wallpaper …”
T1195Supply Chain Compromise
56%
“after claiming their first two victims in january 2026, the group got back into the public eye due to an announcement of a partnership with teampcp, the actor behind several supply - chain attacks in march 2026. these attacks injected malware into popular software packages such a…”
T1195.001Compromise Software Dependencies and Development Tools
56%
“after claiming their first two victims in january 2026, the group got back into the public eye due to an announcement of a partnership with teampcp, the actor behind several supply - chain attacks in march 2026. these attacks injected malware into popular software packages such a…”
T1486Data Encrypted for Impact
51%
“it is running in a cis state, and if so, exits without encryption. the malware runs timedatectl and compares the time zones against a blacklist and checks the lang and lc _ all environment variables, validating that the country code does not match one of the excluded countries. b…”
T1564.006Run Virtual Instance
49%
“ida. a process launched from any of these is treated as running under analysis. kernel debug - object querythe windows native api ntqueryinformationprocess is resolved dynamically from ntdll. dll at runtime avoiding static import detection and queried for the processdebugobjectha…”
T1679Selective Exclusion
49%
“vect : ransomware by design, wiper by accident key takeaways check point research discovers that the vect 2. 0 ransomware permanently destroys “ large files ” rather than encrypting them. a critical flaw in the encryption implementation, identical across all three platform varian…”
T1679Selective Exclusion
49%
“ida. a process launched from any of these is treated as running under analysis. kernel debug - object querythe windows native api ntqueryinformationprocess is resolved dynamically from ntdll. dll at runtime avoiding static import detection and queried for the processdebugobjectha…”
T1055.001Dynamic-link Library Injection
47%
“##ities in this build. this is consistent with a conditional compilation flag that was left disabled at build time, and represents a meaningful gap : an analyst running this sample under any of the targeted tools will not trigger any evasive response. no code obfuscation is appli…”
T1675ESXi Administration Command
45%
“interfere with the process. it starts by disabling the esxi firewall via the esxcli utility, as well as specific firewall rulesets and shutting down various esxi health monitoring processes : afterwards, it proceeds with shutting down other services and processes, like databases,…”
T1564.006Run Virtual Instance
41%
“##5 mac and no integrity protection. advertised encryption speed modes are not implemented. the - - fast, - - medium, and - - secure flags present across linux and esxi variants are parsed and then silently ignored. every execution applies identical hardcoded thresholds regardles…”
T1485Data Destruction
35%
“vect : ransomware by design, wiper by accident key takeaways check point research discovers that the vect 2. 0 ransomware permanently destroys “ large files ” rather than encrypting them. a critical flaw in the encryption implementation, identical across all three platform varian…”
T1679Selective Exclusion
34%
“span virtually everything from typical office documents, spreadsheets, and images to virtual machine disk images, database files, archives, and backups – precisely those most critical to business continuity and most targeted by ransomware operators. for this dominant file class, …”
T1564.006Run Virtual Instance
33%
“vect : ransomware by design, wiper by accident key takeaways check point research discovers that the vect 2. 0 ransomware permanently destroys “ large files ” rather than encrypting them. a critical flaw in the encryption implementation, identical across all three platform varian…”
T1080Taint Shared Content
33%
“features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all. beyond the nonce flaw, cpr identified a pattern of incomplete implementation : advertised encryption modes that are parsed but never applied, string obfuscation …”
T1080Taint Shared Content
32%
“span virtually everything from typical office documents, spreadsheets, and images to virtual machine disk images, database files, archives, and backups – precisely those most critical to business continuity and most targeted by ransomware operators. for this dominant file class, …”
T1486Data Encrypted for Impact
31%
“# # # # # # # # # = = = = = = = = = = = = = = = dear management, all of your files have been encrypted with chacha20 which is an unbreakable encryption algorithm. sadly, this is not the only bad news for you. we have also exfiltrated your sensitive data, consisting mostly of data…”
T1059.012Hypervisor CLI
31%
“ida. a process launched from any of these is treated as running under analysis. kernel debug - object querythe windows native api ntqueryinformationprocess is resolved dynamically from ntdll. dll at runtime avoiding static import detection and queried for the processdebugobjectha…”

Summary

Key Takeaways Background VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. After claiming their first two victims in January 2026, the group got back into the public eye due to an announcement of a partnership with TeamPCP, the actor behind several supply-chain attacks […]

The post VECT: Ransomware by design, Wiper by accident appeared first on Check Point Research.