A significant flaw in the VECT 2.0 ransomware is leading to irreversible data loss for victims, even in cases where the ransom is paid. Recent research from Check Point Research (CPR) and Halcyon indicates that despite the initial intention of its creators to develop a sophisticated ransomware tool, fundamental programming errors have effectively transformed it into a destructive wiper that obliterates data.
According to Halcyon researchers, “Vect operates as a Ransomware-as-a-Service (RaaS), and its encryption mechanisms across Windows, Linux, and ESXi variants feature critical vulnerabilities that hinder data recovery, even post-ransom payment.”
A Flaw That Deletes the Keys
VECT 2.0 was first identified in December 2025 and rapidly broadened its target capabilities by February 2026 to encompass Windows, Linux, and ESXi systems. Typically, ransomware encrypts files while retaining a digital key for future decryption after a ransom is paid. However, Check Point Research has uncovered a serious vulnerability in how VECT 2.0 manages larger files.
Files exceeding 128 KB, which encompasses the vast majority of office documents, databases, and backups, are corrupted during the attack. This malware generates four keys to lock each file but inadvertently overwrites and deletes the first three.
As a result, those keys are irretrievably lost once used. The researchers confirmed that “full recovery is impossible for anyone, including the attackers themselves.” Even the perpetrators lack access to the critical keys needed to assist victims.
Big Plans, Bad Code
While the VECT 2.0 group has attempted to present its operation as high-end, its underlying code contains numerous errors typical of inexperienced developers. Halcyon’s analysis highlighted defects in its Full mode due to a memory error that limits encryption to files smaller than 32 KB, effectively bypassing most data entirely.
Researchers also pointed out other flaws, including modes intended for varying encryption speeds that are parsed but ultimately ignored by the system. Additionally, the malware initiates a large number of concurrent tasks, leading to a thread scheduler error that impairs system performance rather than accelerating the attack.
Moreover, despite attempts to obfuscate instructions using XOR string methods, the mathematical errors result in code self-cancellation, leaving the intended operations exposed in plain text. This oversight has left the hackers’ plans vulnerable to scrutiny.
In the Windows variant, the ransomware specifically appends a .vect extension to affected files and forces essential programs like Excel.exe, Winword.exe, and Outlook.exe to close to seize their data.
Collaboration with Other Hackers
Despite these glaring technical shortcomings, the VECT 2.0 group has managed to achieve a measure of success through an alliance with another hacking entity known as TeamPCP. In March 2026, they executed attacks that embedded malicious software within widely used development tools, including Trivy and Checkmarx KICS, while also providing access keys to members of BreachForums who wish to join their ranks.
Although the hackers purport that their system is advanced, the reality is that they are operating with a fundamentally flawed engine. Researchers emphasize that the data required for file decryption is obliterated during the attack, thereby making payment to the hackers futile.
“VECT 2.0 presents a formidable threat profile, boasting multi-platform compatibility, an active affiliate program, and supply-chain infiltration via partnerships. However, in practical execution, it falls significantly short of its ambitious claims,” concluded the Check Point Research blog.