Researchers reported that VECT 2.0 ransomware can permanently damage files through flaws in its own encryption and decryption logic, leaving victims unable to restore data even if they receive the attackers’ decryptor. Analysis of the Windows variant found that the malware appends the .vect extension, targets a wide range of business files on 64-bit systems, and stores too little recovery metadata to reliably reconstruct what happened to each file. Implementation defects reportedly include lost encryption material for large files, buffer-size mismatches affecting mid-sized files, and race conditions caused by shared global buffers across worker threads, resulting in files that may be only renamed, partially encrypted, or structururally corrupted.
Separate reporting describes VECT as a double-extortion ransomware-as-a-service operation with support for Windows, Linux, and VMware ESXi, using lateral movement, defense evasion, shadow-copy deletion, and safe-mode reboot techniques before encryption. The group is linked in reporting to TeamPCP and possible overlaps with Devman, with alleged access from earlier supply-chain compromises involving Trivy, Checkmarx KICS, LiteLLM, and Telnyx feeding later intrusions. Because a critical flaw in VECT’s ChaCha20-based intermittent encryption can render large-file data unrecoverable, defenders are being urged to treat VECT incidents as both ransomware and destructive data-loss events rather than assuming payment will enable recovery.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Reporting cited by SOCRadar says TeamPCP carried out supply chain compromises in March 2026 affecting Trivy, Checkmarx KICS, LiteLLM, and Telnyx. The stolen credentials and upstream access from those incidents were allegedly used in later Vect intrusions.
Morphisec analyzed the Windows VECT 2.0 ransomware strain and found implementation flaws that can permanently damage files, including loss of encryption material for large files, buffer-size mismatches, and race conditions across worker threads. The findings indicate victims may be unable to recover data even with the attackers' own decryptor.
SOCRadar reports that the Vect ransomware-as-a-service operation emerged on a Russian-language cybercrime forum on December 31, 2025, offering low-cost affiliate access and later expanding through recruitment arrangements with BreachForums.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.