VECT software debuted at the end of 2025, departing from the traditional operating model of ransomware groups. Instead of recruiting a narrow group of trusted partners, VECT’s creators opened their doors to everyone, Check Point warns. Through a partnership with BreachForums, the ransomware platform was automatically made available to every member of the criminal forum. However, the tool contains errors that destroy captured files instead of encrypting them.
The situation is worsened by VECT’s cooperation with TeamPCP, a group responsible for a series of supply chain attacks this year. Their aim is to use already existing access as a starting point for attacks on companies that had previously been affected by these vulnerabilities. Although the threat appears highly serious and scalable on paper, an analysis by Check Point Research revealed critical flaws in the software’s code.
A critical flaw: VECT destroys data instead of locking it
The classic ransomware model is based on reversibility: attackers lock files, keep the key and return it after the ransom is paid. VECT breaks this model because of errors in its code.
It turns out that VECT permanently destroys large files instead of merely locking them. When the software encrypts large files, it permanently discards information that is necessary to reverse the process. This means there is no key that attackers could provide to the victim. Even the hackers themselves cannot deliver a working decryptor, because the means required for decryption no longer exist anywhere.
This destructive flaw affects the most important files for companies, including virtual machine images, databases, backups and archives. In the case of these files, VECT behaves like data-wiping malware with a ransom note attached. The critical encryption flaw is present in all versions of the software for Windows, Linux and ESXi environments. The bug appeared in all known samples and has never been fixed.
Amateur execution and broken features
Although VECT invests heavily in a professional image, including a well-designed affiliate panel, analysis of the code itself shows a very different reality. Researchers at Check Point Research believe it is more likely the work of novices than experienced ransomware operators.
Many of the advertised capabilities, including encryption speed modes and protections against code analysis, are either not implemented or completely broken. The software ignores encryption speed settings, and every attack proceeds in the same way. Tools intended to avoid detection are never activated.
Unchanged geofencing exclusions protecting targets in Ukraine suggest that VECT may be based on leaked code older than 2022. It also cannot be ruled out that some parts of the code were generated using artificial intelligence, which would explain such fundamental errors hidden behind a façade of supposed professionalism.
Key recommendations for CTOs and security teams
If your organisation has fallen victim to an attack, do not pay the ransom. Payment will not restore your data under any circumstances. The focus should be on recovery and response. Because there is no working decryptor for most critical business files, the only option is to immediately involve an incident response team and restore systems from clean backups. Paying only transfers funds to criminals and provides nothing in return.
If you have not yet been attacked, credential rotation should be a priority. If your company uses development tools such as Trivy, KICS, LiteLLM or Telnyx, which were targeted in TeamPCP’s supply chain attacks, immediate credential rotation should be treated as the highest priority. Importantly, even despite the encryption flaws, data may still be stolen before encryption begins, and systems may fail.
VECT’s flaws can be fixed, and a future software update distributed to thousands of criminal affiliates could make this group far more dangerous. According to Check Point specialists, the threat should be monitored urgently.
