VECT: Ransomware by design, Wiper by accident
VECT 2.0 is a cross-platform (Windows, Linux, ESXi) Ransomware-as-a-Service that effectively functions as a wiper due to a critical cryptographic implementation flaw. Files larger than 128 KB are encrypted in chunks using raw ChaCha20-IETF, but the malware fails to save the required nonces for the first three chunks, rendering full data recovery impossible even if the ransom is paid.
Authors: Check Point Research
Source:
Check Point
- sha2568ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4dVECT 2.0 Windows variant executable
- sha256a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2VECT 2.0 ESXi variant executable
- sha256e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06VECT 2.0 Linux variant executable
- urlhxxp://vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd[.]onion/chat/REDACTEDVECT ransomware Tor negotiation portal
Detection / Hunter
What Happened
The VECT 2.0 ransomware is a malicious program designed to lock computer files and demand payment, but a severe programming mistake actually causes it to permanently destroy most files instead. It affects Windows, Linux, and virtual machine servers, meaning a wide range of businesses and individuals are at risk of unrecoverable data loss. Because the attackers themselves cannot restore the destroyed files, paying the ransom will not help victims get their data back. Organizations should focus on strong backups and preventative security measures to block the initial infection.
Key Takeaways
- VECT 2.0 ransomware permanently destroys files larger than 128 KB due to a critical flaw that discards decryption nonces, effectively making it a wiper.
- The malware uses raw ChaCha20-IETF without authentication, contradicting public reports of ChaCha20-Poly1305 AEAD usage.
- Windows, Linux, and ESXi variants share a single flawed codebase with identical encryption logic and file-size thresholds.
- VECT operators partnered with TeamPCP and BreachForums to distribute the ransomware to affiliates and exploit supply-chain attack victims.
- The ransomware exhibits amateur coding practices, including unreachable anti-analysis routines, self-canceling string obfuscation, and performance-degrading thread scheduling.
Affected Systems
- Windows
- Linux
- VMware ESXi
- Oracle VirtualBox
- libvirt / KVM / QEMU
- Xen Hypervisor
Attack Chain
VECT 2.0 gains access to environments, potentially leveraging supply chain compromises via the TeamPCP partnership. Upon execution, the Windows variant can force a safe-mode reboot for evasion, while Linux/ESXi variants terminate security and virtualization services. The malware spreads laterally using SSH keys (Linux/ESXi) or Windows protocols (WMI, SMB). Finally, it encrypts files using ChaCha20-IETF, appending the .vect extension and dropping ransom notes, though a cryptographic flaw permanently destroys files over 128 KB.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but it includes comprehensive IOCs such as file hashes, command lines, and targeted services that can be used to build custom detections.
Detection Engineering Assessment
EDR Visibility: High — The malware executes highly visible commands (vssadmin, bcdedit, esxcli), drops specific ransom notes, and exhibits aggressive file I/O behavior during encryption. Network Visibility: Medium — Lateral movement via SSH or Windows protocols (SMB, WMI) can be detected, but the encryption itself is local. Detection Difficulty: Moderate — While the malware attempts to clear logs and disable defenses, its noisy execution (excessive thread spawning, hardcoded command lines) provides ample detection opportunities before encryption completes.
Required Log Sources
- Process Creation (Event ID 4688)
- PowerShell Operational Logs
- Linux Syslog / Auditd
- ESXi Shell Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for processes executing bcdedit to modify safe boot configurations, followed by registry modifications to service load paths. | Process Creation, Registry Modifications | Defense Evasion | Low |
| Monitor for rapid, sequential execution of esxcli commands disabling firewall rulesets and health monitoring services on ESXi hosts. | ESXi Shell Logs | Defense Evasion | Low |
| Detect excessive thread creation (e.g., >40 threads) by a single unknown process accompanied by high volume file modifications renaming files to .vect. | EDR Process/Thread Events, File System Events | Impact | Low |
Control Gaps
- Safe mode execution bypasses many standard EDR agents
- ESXi environments often lack robust endpoint monitoring compared to Windows
Key Behavioral Indicators
- Execution of vssadmin to delete shadow copies
- Creation of !!!READ_ME!!!.txt in multiple directories
- SSH connections to multiple internal hosts using harvested keys
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block execution of known VECT 2.0 file hashes.
- Isolate infected hosts immediately to prevent lateral movement via SSH or SMB.
- Do not pay the ransom, as files over 128 KB are permanently destroyed and cannot be recovered.
Infrastructure Hardening
- Restrict SSH access between internal hosts and implement strict key management.
- Harden ESXi hypervisors by restricting access to the management interface and disabling unnecessary services.
- Implement robust, offline, and immutable backups for all critical data.
User Protection
- Deploy EDR solutions capable of detecting safe-mode persistence mechanisms.
- Ensure anti-malware solutions are configured to block unauthorized modification of boot configurations (bcdedit).
Security Awareness
- Educate incident response teams that VECT 2.0 acts as a wiper, altering recovery strategies from decryption to full restoration from backups.
MITRE ATT&CK Mapping
- T1485 - Data Destruction
- T1486 - Data Encrypted for Impact
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1562.009 - Impair Defenses: Safe Mode Boot
- T1070.004 - Indicator Removal: File Deletion
- T1070.001 - Indicator Removal: Clear Windows Event Logs
- T1021.004 - Remote Services: SSH
- T1082 - System Information Discovery
Additional IOCs
- File Hashes:
58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd(SHA256) - VECT 2.0 ESXi variant executable9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f(SHA256) - VECT 2.0 Windows variant executablee512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a(SHA256) - VECT 2.0 Windows variant executable
- File Paths:
!!!READ_ME!!!.txt- Ransom note dropped by all variantsdvm3_wall.bmp- Desktop wallpaper replacement dropped by the Windows variant/etc/profile.d/vector_notice.sh- Shell script displaying the ransom note on login for Linux/ESXi variants
- Command Lines:
- Purpose: Force the system to boot into minimal safe mode for evasion | Tools:
bcdedit.exe| Stage: Defense Evasion |bcdedit /set {default} safeboot minimal - Purpose: Delete volume shadow copies to prevent file recovery | Tools:
vssadmin.exe| Stage: Impact |vssadmin delete shadows /all /quiet - Purpose: Clear Windows event logs to remove forensic evidence | Tools:
wevtutil.exe| Stage: Defense Evasion |wevtutil cl - Purpose: Disable the ESXi network firewall | Tools:
esxcli| Stage: Defense Evasion |esxcli network firewall set --enabled false
- Purpose: Force the system to boot into minimal safe mode for evasion | Tools:
- Other:
.vect- File extension appended to encrypted files