The authors of a new strain of ransomware called Vect are drawing attention thanks to a partnership with the TeamPCP gang and an ambitious collaboration with BreachForums that has seen every registered member of the forum given free access to their platform, but according to malware analysts, its bluster is masking a dangerous secret.
Analysts at Check Point Research (CPR) have been digging into Vect, which surfaced towards the end of 2025, and say they have now found a serious encryption flaw in the locker – which ultimately causes it to act not as an encryptor, but as a data wiper.
Traditionally, the whole point of ransomware is that classically, its effects are reversible. A cyber criminal encrypts and locks the victim’s files and in theory, hands over the decryption key once they are paid off. In the real world this does not always happen, which is why all major authorities on ransomware concur that ideally, victims should never pay.
Howeve, Vect blows the ransomware ‘business model’ to smithereens. The CPR team found that when Vect encounters a file of over 128KB in size – which in an enterprise context means most files including virtual machine images, databases, backups and archives – it not only encrypts them but permanently discards the information needed to reverse the process.
This means that even if the cyber criminals are paid, they cannot hand over a working decryptor – not through malice but because it isn’t possible to do so.
“Vect is being marketed as ransomware, but for any file over 128KB, which is most of what enterprises actually care about, it functions as a data destruction tool,” said Eli Smadja, general manager at CPR.
“CISOs need to understand that in a Vect incident, paying is not a recovery strategy. There is no decryptor that can be handed over, not because the attackers are unwilling, but because the information required to build one was destroyed the moment their software ran. The focus has to be on resilience: offline backups, tested recovery procedures, and rapid containment, not negotiation.”
The flaw has been present since before the public 2.0 release of Vect and as of the time of writing, does not seem to have been fixed. It affects all three versions targeting ESXi, Linux and Windows, said CPR
