- A new ransomware variant was found to function as a destructive data wiper
- Flawed nonce handling causes files larger than 128 KB to be permanently lost
- Despite being marketed as RaaS, victims cannot recover data even if they pay
VECT 2.0, a relatively new ransomware variant that’s being offered for sale on dark web forums, is actually broken and works as a data wiper instead of an encryptor, researchers are warning.
In a new in-depth report, cybersecurity outfit Check Point explained that the problem is in the way VECT 2.0 handles “nonces” - random values needed to correctly encrypt, and later decrypt the data. Apparently, the malware splits large files into chunks, but instead of using new memory space for each nonce, it reuses the same, thus overwriting the previous one.
In other words, it loses the “keys” for most parts of the file as it goes along. Only the last part of the file can be recovered, while the rest is permanently destroyed. So even if the victims decide to pay the ransom demand, they still won’t be able to recover their files, nor would the threat actors be able to help with that even if they wanted to.
Teaming up with TeamPCP
To make matters worse, what the encryptor considers a “large file” is also wrong. Check Point says that everything above 128kb, which is laughably small by today’s standards, will end up being wiped.
“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point warned.
VECT has reportedly been advertising itself on dark web forums lately, offering a Ransomware-as-a-Service model and inviting affiliates and teaming up with TeamPCP, a relatively young threat actor that has already made a name for itself with successful attacks against Trivy, LiteLLM, Telnyx, and the European Commission.
