TeamPCP-linked VECT 2.0 ransomware unintentionally destroys files larger than 128 KB

VECT 2.0 ransomware inadvertently destroys files larger than 128 KB during encryption, making them unrecoverable by anyone, including the threat actors themselves, Check Point Research reported Tuesday.

The VECT ransomware-as-a-service (RaaS) group first appeared in December 2025 and reportedly partnered with the threat actor TeamPCP in March 2026. The RaaS currently lists two victims on its dedicated leak site, both claimed to be tied to TeamPCP’s supply chain attacks on Trivy and LiteLLM in March.

At the same time it announced its TeamPCP partnership, VECT announced a partnership with BreachForums, saying all BreachForums members would be given affiliate access to the ransomware. Leveraging this open availability, Check Point researchers gained access to the VECT 2.0 panel and ransomware builder, and conducted an analysis of the ransomware’s Windows, Linux and ESXi versions.

The researchers found an error in the ransomware’s encryption implementation across all three versions that caused files larger than 128 KB to be effectively destroyed rather than reversibly encrypted.

The error arose because the ransomware encrypts these “large” files in four chunks, but the decryption nonces generated for each chunk are all written to the same location, overwriting one another. Ultimately, only the nonce for the final chunk remains, leaving the rest of the file unrecoverable.

Check Point also noted that the encryption algorithm used by VECT is ChaCha20-IETF with no authentication, not ChaCha20-Poly1305 AEAD as VECT had previously advertised, and which had been widely reported as a result.

Other ‘amateur’ mistakes found in VECT 2.0 ransomware

Check Point provided additional details about the three VECT 2.0 variants, revealing an “amateur execution” despite the group’s “professional façade,” the researchers wrote.

The ransomware’s encryption engine was noted to use an excessive number of encryptor threats per CPU, which, rather than speeding up encryption, causes the system to spend unnecessary time switching between threads, the researchers said.

“On a typical 8-CPU target, this produces 6 scanner and 42 encryptor threats simultaneously competing for the same disk I/O channels — overkill by any measure, and a thread count that would make any seasoned ransomware developer laugh,” the Check Point team wrote.

Additionally, the Windows version includes three anti-analysis mechanisms — a scan of running processes, a parent process check and a kernel debug-object query — but these mechanisms are never actually invoked during execution.

In the Linux version, the malware attempts to encrypt command line flags but accidentally uses a double XOR encryption scheme that “cancels out” the encryption, leaving the plain text strings fully visible, Check Point said.

Even the ASCII art used in VECT’s branding is broken, as the developers failed to escape backslash characters, the researchers added.

“VECT 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel. In practice, the technical implementation falls significantly short of its presentation,” the Check Point Research team concluded.

Due to the encryption error, Check Point emphasizes that companies that pay a ransom will not be able to recover most important files, “not because the operator is uncooperative, but because the nonces required for decryption no longer exist.”

Earlier this year, researchers at Coveware discovered a similar error in the Nitrogen ransomware affecting ESXi systems. The ransomware was found to inadvertently overwrite part of the public key derived from the private key used for encryption, making it impossible for anyone, including Nitrogen, to decrypt the files.