VECT 2.0 ransomware: strong marketing masked weak technical execution

VECT is a relatively new RaaS threat that emerged in late 2025. It was initially promoted as an ambitious ransomware for mass deployment, supporting Windows, Linux, and ESXi, featuring a mature affiliate model, partnership with the TeamPCP group, and a convenient operator panel. VECT even became the first notable example of the Breached forum's willingness to collaborate with international actors from Russia, China, and other regions — as we reported earlier.

However, an investigation by Check Point Research revealed that the technical implementation of VECT 2.0 differs significantly from its advertised capabilities: ❌ a flaw in the encryption routine effectively turns VECT 2.0 into a wiper, irreversibly corrupting files larger than 128 KB ❌ declared cryptographic methods don't match the actual implementation ❌ several claimed features,such as encryption speed selection, are missing; corresponding flags are ignored ❌ identical flaws appear across all three platform builds, indicating careless code reuse

In addition, the code contains numerous other weaknesses pointing to an unprofessional implementation. There are also suspicions that parts of the code were generated by AI.

Currently, subscription-based malware distribution models — including ransomware — are steadily gaining traction. As the number of such services grows, competition among operators intensifies, pushing them to find new ways to stand out and attract potential clients. Yet the VECT 2.0 case shows that this doesn't always come from quality: the proclaimed "professionalism" is often just a façade meant to create an impression of maturity. Such encryption design flaws pose risks not only to victims but also to affiliates themselves: irreversible file damage reduces the likelihood of receiving ransom payments.