VECT 2.0
VECT 2.0 is a ransomware-as-a-service (RaaS) malware family first observed in late 2025 that targets Windows, Linux, and VMware ESXi systems. It is described as a 64-bit Windows-based ransomware in analyzed Windows samples and is written in C++ with statically compiled executables sharing a common codebase across platforms. The malware targets business data including documents, PDFs, archives, backups, databases, virtual disks, and other accessible files, walking accessible paths with only a short exclusion list. On Windows, it appends the .vect extension to targeted files and drops a ransom note named !!!READ_ME!!!.txt; the .vect extension is the most consistently reported artifact. The Windows variant also reportedly forces Excel.exe, Winword.exe, and Outlook.exe to close to access their data.
Multiple reports attribute VECT 2.0 to VECT operators and describe partnerships with BreachForums and TeamPCP. The BreachForums relationship reportedly enabled a broad affiliate model, including free affiliate access for forum members, while TeamPCP was linked to supply-chain compromises involving Trivy, Checkmarx KICS, LiteLLM, and Telnyx that were described as a distribution vector for VECT. VECT has been associated with claimed victims through this partnership and with an open-affiliate recruitment model.
Researchers from Check Point Research, Halcyon, and Morphisec reported that VECT 2.0 contains severe implementation flaws that make it behave more like a wiper than recoverable ransomware. The most serious flaw affects files larger than 128 KB: VECT 2.0 splits large files into four chunks or sections, encrypts them using ChaCha20-IETF/libsodium with four independently generated 12-byte nonces, but preserves only the final nonce. The first three nonces are overwritten in shared memory and are not stored on disk, in the registry, or transmitted to the operators. As a result, most of each large file becomes permanently unrecoverable, including to the attackers, so ransom payment does not guarantee restoration. This flaw is reported across Windows, Linux, and ESXi variants.
Additional reported defects include a memory or buffer-size mismatch affecting files between 32 KB and 128 KB, which can leave files renamed without encryption, partially encrypted, or structurally corrupted; a Full mode memory error that restricts encryption to files smaller than 32 KB; parsing of fast, medium, and secure encryption modes without actually applying them; race conditions caused by globally shared buffers across worker threads; and a thread scheduling bug that starts excessive tasks and degrades performance. Researchers also reported broken XOR string obfuscation that leaves strings readable in plaintext. Because VECT 2.0 stores minimal recovery metadata, such as only a 12-byte trailer containing the last nonce and no version, original size, or chunk metadata, generic and attacker-supplied decryptors may fail even on partially processed files.
Reported behaviors and defensive indicators include .vect file renaming, ransom note creation, shadow copy deletion, bulk process termination, PowerShell attempts to disable Windows Defender, event log clearing, suspicious Safe Mode boot configuration changes, and on Windows, encryption of local, removable, and network-accessible storage. Some reporting also notes anti-analysis features, Safe Mode persistence, lateral movement templates in the Windows variant, and SSH-based spread and geofencing in ESXi/Linux variants. Targeted sectors mentioned in reporting include manufacturing, education, healthcare, and technology. Overall, the reporting consistently characterizes VECT 2.0 as an immature but destructive multi-platform ransomware operation whose coding flaws can permanently destroy victim data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The VECT 2.0 ransomware, attributed to a threat actor group (VECT operators), reflects a notable shift in ransomware behavior where operational flaws unintentionally drive destructive outcomes.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThe Credentials field allows an attacker to add domain credentials into the compiled locker payload, which enables automated lateral movement and mass deployment via GPO... Each method begins by setting up credentials.
Additionally, its affiliate-based distribution via BreachForums and alignment with threat group TeamPCP demonstrates convergence with supply-chain compromise strategies...
Execution
5 techniquesInvoke-WmiMethod -ComputerName $pc -Credential $cred -Class Win32_Process -Name Create -ArgumentList "%ProgramData%\$name" -EA Stop
Or through scheduled tasks: $action=New-ScheduledTaskAction -Execute "%ProgramData%\$name" ... Register-ScheduledTask ... Start-ScheduledTask ... From scheduled tasks installed via the command line: schtasks /create /s $pc ...
The locker also issues commands to subvert Windows Defender via this Powershell command... functionality appears to be implemented via hardcoded Powershell scripts embedded within the locker.
...обманных загрузок... фальшивых обновлений, перепакованных и заражённых инсталляторов.
Methods include propagating via service installation: sc.exe \\\\$pc create $svc binPath= \"C:\\ProgramData\\$name\" type= own start= auto ... sc.exe \\\\$pc start $svc
Persistence
4 techniquesOr through scheduled tasks: $action=New-ScheduledTaskAction -Execute "%ProgramData%\$name" ... Register-ScheduledTask ... Start-ScheduledTask ... From scheduled tasks installed via the command line: schtasks /create /s $pc ...
The Credentials field allows an attacker to add domain credentials into the compiled locker payload, which enables automated lateral movement and mass deployment via GPO... Each method begins by setting up credentials.
Persistence is obtained by modifying this common registry run key on a victim’s system: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Value: <locker file path>
Privilege Escalation
4 techniquesOr through scheduled tasks: $action=New-ScheduledTaskAction -Execute "%ProgramData%\$name" ... Register-ScheduledTask ... Start-ScheduledTask ... From scheduled tasks installed via the command line: schtasks /create /s $pc ...
The Credentials field allows an attacker to add domain credentials into the compiled locker payload, which enables automated lateral movement and mass deployment via GPO... Each method begins by setting up credentials.
The actor advertised... GPO propagation... The hidden PowerShell GPO/lateral command did launch.
Stealth
3 techniquesEvent logs clears Application , Security , System , and Windows PowerShell with wevtutil cl
Backup copies from the Windows volume shadow copy utility are deleted with this command: vssadmin delete shadows /all /quiet
Defense Impairment
2 techniquesPersistence is obtained by modifying this common registry run key on a victim’s system: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Value: <locker file path>
Discovery
4 techniquesIt then enumerates hosts via AD: $pcs=@([adsisearcher]'objectCategory=computer').FindAll()|%{$_.Properties.dnshostname[0]}|?{$_ -and $_ -ne $env:COMPUTERNAME} | It then enumerates hosts via AD... Next, it copies itself to discovered machines
It then enumerates hosts via AD: $pcs=@([adsisearcher]'objectCategory=computer').FindAll()|%{$_.Properties.dnshostname[0]}|?{$_ -and $_ -ne $env:COMPUTERNAME}
Rather than targeting only specific file types, it walks accessible paths and skips a short exclusion list, meaning a wide range of important files fall within its scope.
The actor advertised... network discovery, lateral movement, and GPO propagation.
Lateral Movement
5 techniquesVect advertises automated lateral movement and deployment via GPO on Windows... it attempts to execute the remote copy via various methods, including WMI... CIM... scheduled tasks... DCOM... Invoke-Command.
Может распространяться путём взлома через незащищенную конфигурацию RDP...
From DCOM: $com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Application',$pc)) $com.Document.ActiveView.ExecuteShellCommand("C:\ProgramData\$name",$null,$null,'7')
The ESXi locker also provides an argument dialog showing its capabilities: ... --spread Enable SSH lateral movement
The embedded PowerShell is built for lateral movement and remote execution. It references admin-share copy to \\$pc\C$\ProgramData\$name...
Exfiltration
1 techniqueWe have also exfiltrated your sensitive data, consisting mostly of databases, backups and other personal information from your company...
Impact
3 techniquesThat's because the ransomware Vect uses isn't actually ransomware at all, but a wiper that destroys any file larger than 128KB.
VECT 2.0 is a 64-bit Windows-based ransomware that targets business data including documents, PDFs, archives, backups, databases, and virtual disks. For files larger than 128 KB, VECT splits the content into four sections and encrypts a 32 KB block at the start of each using four different keys.
Backup copies from the Windows volume shadow copy utility are deleted with this command: vssadmin delete shadows /all /quiet ... Vect runs commands to disable GhettoVCB and Veeam software.
Other
2 techniquesIOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
64-bit Windows ransomware that encrypts business data and appends the .vect extension. The report states its design is flawed: it renames files before encryption, stores minimal metadata, may only partially encrypt files, and uses multi-threaded shared buffers that can corrupt or inconsistently process files, preventing reliable recovery even with the attacker’s decryptor.
A ransomware family promoted as part of a nascent RaaS operation; researchers described it as amateur and said it destroys most data instead of properly encrypting it.
Cross-platform ransomware for Windows, Linux, and ESXi whose flawed nonce management can irreversibly corrupt large files, making it behave like a pseudo-wiper.
Multi-platform ransomware-as-a-service targeting Windows, Linux, and ESXi. Due to critical implementation flaws, especially in handling files larger than 128 KB, it destroys required encryption keys and behaves more like a wiper, making recovery impossible even for the attackers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.