A technical analysis by Check Point Research says the VECT 2.0 ransomware operation has a flaw that can permanently destroy files larger than 131,072 bytes across Windows, Linux and ESXi variants, leaving victims unable to recover data even if they pay.
KEY FACTS
- Impact Files above 131,072 bytes are not fully encrypted and become unrecoverable.
- Scope The issue affects Windows, Linux and ESXi lockers.
- Launch The ransomware-as-a-service program began recruiting affiliates in December 2025.
- Access New affiliates were charged $250 in Monero, with a waiver for CIS applicants.
- Activity The leak site currently lists two victims.
The report says the malware encrypts four chunks of each large file but discards three of the four nonces needed to reverse the process. Only the final nonce is stored, which makes the first three quarters of those files unrecoverable.
That means the program behaves more like a wiper than ransomware for most enterprise files. The report says paying the ransom would not restore data because the information needed to build a decrypter is destroyed when the malware runs.
On the Windows side, the locker targets 44 security and debugging tools, can force a reboot into Safe Mode, and includes script templates for lateral movement. The ESXi version adds geofencing and anti-debugging checks, while the Linux variant shares the same codebase with reduced functionality.
The group has also formed partnerships with BreachForums and TeamPCP, in an effort to broaden distribution and use stolen data to pressure victims. The leak site still shows only two confirmed targets.
WHY IT MATTERS
The flaw changes the risk profile of an incident because recovery options may be limited even after payment. Organizations facing this malware would need to rely on offline backups, tested restoration plans and rapid containment rather than negotiation.