Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Vect Ransomware Vect 2.0 Ransomware ... Этот крипто-вымогатель шифрует данные пользователей с помощью алгоритма ChaCha20, а затем требует выкуп, чтобы вернуть файлы. ... Реализованы версии для Windows, Linux и ESXi.
36 distinct techniques documented for this family, organized by ATT&CK tactic.
It uses New-CimSession to interact directly with WMI over WinRM.
Instead, the module remotely registers Scheduled Tasks over CIM sessions... the task and CIM session are removed within 500 milliseconds, cleaning up artifacts on the target machine.
Privilege Escalation Access Token Manipulation (inferred) T1134
A “GPO Credentials” field allows affiliates to input Domain Admin credentials directly into the payload builder, enabling automatic distribution via Group Policy Objects without external scripts. This significantly streamlines mass deployment across Windows domains.
The sample implements obfuscated strings to hinder analysis. Rather than storing plaintext strings for commands and data, it keeps them as encrypted bytes that are assembled and decoded at runtime using rotating XOR.
Built-in Evasion: A “VM Crypter/Packer” toggle standardizes anti-analysis techniques, protecting binaries from immediate signature detection by security tools.
After execution, the task and CIM session are removed within 500 milliseconds, cleaning up artifacts on the target machine.
A “GPO Credentials” field allows affiliates to input Domain Admin credentials directly into the payload builder, enabling automatic distribution via Group Policy Objects without external scripts. This significantly streamlines mass deployment across Windows domains.
The Windows tab allows the affiliate to exclude file extensions and paths as well as provide GPO credentials for compromise and spread through Active Directory environments.
RDP - copies itself to each domain computer, then stores credentials via cmdkey
Moves across the network using: SMB admin shares (ADMIN$, C$) remote execution
Encrypts using ChaCha20-Poly1305 (reported) Likely multi-threaded → fast network-wide impact
Vect kills anything that blocks file access or enables recovery: databases: SQL/MySQL/Oracle backup tools: Veeam/Commvault/Acronis security tooling / monitoring agents
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.