Check Point Research just published New findings about a new ransomware group that everyone should know about before falling victim: the VECT group permanently destroys large files instead of encrypting them. Victims who pay the ransom can't get their data back. There is no decryptor. And there never will be.
The files affected are precisely those that are of the greatest importance in an enterprise-level attack: virtual machine images (VM disk images), databases, backups and archives.
According to Eli Smadja, Group Manager at Check Point Research: “VECT is advertised as ransomware, but for any file larger than 131kb — which is the bulk of data that businesses really care about — it essentially functions as a data destruction tool. CISOs need to understand that in a VECT incident, payment is not a recovery strategy. There is no possibility of creating a decryptor, not because the attackers don’t want to hand it over, but because the information that would be required to create one has been destroyed by the time their software is running. The emphasis should be on resilience: offline backups, proven recovery procedures, and rapid isolation of the incident — not on negotiation.”
The group itself is worth watching. Recently, VECT teamed up with BreachForums and TeamPCP — the supply chain actor behind attacks on tools like Trivy, LiteLLM, and other widely used developer tools — to create one of the largest ransomware affiliate networks we’ve seen to date. The infrastructure is real. The ambition is serious. The software, however, is fundamentally flawed.
Some interesting findings:
- Previous industry publications, as well as the group’s own promotion, described VECT as using ChaCha20-Poly1305 AEAD encryption. CPR’s analysis showed that this is not the case — a weaker, uncertified cryptographic algorithm is used, with no integrity protection.
- CPR also believes that VECT is more likely the work of newcomers than experienced operators, and does not rule out the possibility that some of the code was generated with the help of AI. An unusual geofencing detail suggests that the code may be based on a leaked ransomware build from before 2022, rather than being written from scratch, as its creators claim.
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
