★ 8/10 · Security · 2026-04-28

VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi

VECT 2.0 is a ransomware-as-a-service (RaaS) operation that functions as a data wiper for files exceeding 131KB. Due to a critical flaw in its encryption implementation, the malware permanently destroys the majority of...

Captured 2026-04-28 14:01

VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi

Summary

VECT 2.0 is a ransomware-as-a-service (RaaS) operation that functions as a data wiper for files exceeding 131KB. Due to a critical flaw in its encryption implementation, the malware permanently destroys the majority of large files, making data recovery impossible even if a ransom is paid.

Key Points

  • Affects Windows, Linux, and ESXi environments.
  • Files larger than 131,072 bytes (128KB) are irrecoverably destroyed rather than encrypted.
  • Uses an unauthenticated version of the ChaCha20 cipher instead of the claimed ChaCha20-Poly1305 AEAD.
  • The Windows variant includes a --force-safemode flag to ensure persistence via the Windows Registry during Safe Mode boots.
  • The Windows version features an anti-analysis suite targeting 44 specific security and debugging tools.
  • The ESXi variant implements geofencing to bypass targets in CIS countries and utilizes SSH for lateral movement.

Technical Details

The VECT 2.0 locker implements a flawed encryption process for files exceeding 131,072 bytes. The malware divides these large files into four independent chunks, each encrypted using a unique 12-byte nonce. However, the implementation only appends the final nonce to the encrypted file on disk, discarding the first three nonces immediately after use. Because the ChaCha20-IETF algorithm requires the exact 12-byte nonce to decrypt each specific chunk, the first 75% of every large file becomes permanently unrecoverable.

On Windows, the malware can target local, removable, and network-accessible storage. It utilizes a registry-based persistence mechanism that triggers execution during Windows Safe Mode when the --force-safemode parameter is active. The Linux and ESXi variants share a codebase, with the ESXi version specifically utilizing SSH for lateral movement and enforcing geofencing checks to avoid executing in certain CIS-related jurisdictions.

Impact / Why It Matters

Organizations cannot rely on ransom payments for data recovery in a VECT 2.0 incident, as the encryption process is inherently destructive to all operationally critical files. Security strategies must prioritize offline backups, tested recovery procedures, and rapid containment to mitigate permanent data loss.

security ransomware cybersecurity

↳ Sources