Key findings
- Do not pay the ransom. VECT permanently destroys large files rather than locking them. Even the attackers cannot recover them. Payment will not restore your data.
- VECT partnered with TeamPCP and BreachForums to build one of the largest ransomware affiliate networks ever assembled, giving them a ready-made pipeline to thousands of potential victims.
- The encryption flaw exists across all versions. Windows, Linux, and ESXi variants are all affected. The bug has been present since before the public 2.0 release and has never been fixed
- Advertised features don’t work. Encryption speed modes, anti-analysis protections, and other capabilities are either unimplemented or broken.
A new threat with an ambitious playbook
VECT emerged in late 2025 with an unusual ambition: rather than recruiting a small, vetted group of criminal partners in the traditional ransomware model, they opened their doors to everyone. Through a formal partnership with BreachForums, a major cybercrime marketplace, VECT distributed access to their ransomware platform to every registered member of the forum automatically. Thousands of potential operators, almost overnight.
At the same time, VECT announced a partnership with TeamPCP, the group responsible for a series of supply-chain attacks earlier this year that compromised popular software tools used by businesses worldwide. The stated goal, openly announced on BreachForums, was to use that existing access as a launchpad for ransomware attacks against companies already affected by those attacks.
On paper, this looked like a serious and scalable threat. In practice, Check Point Research gained access to the affiliate panel and builder, analyzed all three payloads, and found something the group’s own operators may not know: their software is broken in a way that makes it far more destructive, and far less profitable, than intended.
Our researchers also believe VECT is more likely the work of newcomers than experienced ransomware operators. The pattern of errors, which are identical across every platform and uncorrected across every version, is not consistent with a seasoned group. The possibility that parts of the codebase were generated with AI assistance cannot be ruled out, and would help explain how a group could produce something that looks credible on the surface while containing fundamental mistakes underneath.
The critical flaw: It’s a wiper, not ransomware
Ransomware is supposed to be reversible. The attacker locks your files, holds the key, and returns it when you pay. That’s the business model. VECT’s software breaks this model entirely, not by design, but by mistake.
When VECT encrypts large files, and virtually every file that matters to a business qualifies, it permanently discards the information needed to reverse the process. There is no key to hand back. The attacker cannot provide a working decryptor, not because they are unwilling, but because the means to decrypt no longer exists anywhere.
This affects the files ransomware groups typically use as their strongest leverage: virtual machine images, databases, backups, and archives. For these file types, VECT is not ransomware. It is a data wiper with a ransom note attached.
Check Point Research confirmed this flaw exists across all three versions of VECT’s software (Windows, Linux, and VMware ESXi) and has been present in every known version of the malware, including samples that predate the public 2.0 release. It has never been fixed.
Professional appearance, serious gaps
VECT has invested heavily in looking legitimate. The affiliate panel is well-designed. The partnerships are real. The marketing is polished. But analysis of the actual code tells a different story.
Several features the group advertises to operators simply do not work. Encryption speed settings, offered as a way to balance speed and thoroughness, are accepted by the software and then silently ignored. Every attack runs identically regardless of what settings the operator chooses.
Security evasion tools designed to help VECT avoid detection were built and compiled into the software, but are never actually activated. Any security researcher can run VECT today with no evasive response from the malware itself.
These are not minor oversights. They are the kinds of errors that basic testing would catch, and they suggest a group that has prioritized the appearance of a professional operation over building one.
There is also evidence suggesting VECT may be built on a leaked ransomware codebase from before 2022, rather than written from scratch as the group claims. A telling indicator is an unusual geofencing choice: VECT’s software is configured to avoid attacking targets in Ukraine, a country that most Russian-speaking ransomware groups stopped protecting after the 2022 war. Retaining that exclusion points to code inherited from an older source, not a deliberate ideological stance by the current operators.
What this means for your organization
If you’ve been hit:
Do not pay. For large files, which includes the vast majority of business-critical data, there is no functional decryptor and there never will be. Paying transfers money to criminals and returns nothing. Focus on recovery from clean backups and engage your incident response team immediately.
If you haven’t been hit:
VECT’s current limitations do not make it harmless. Data can still be exfiltrated before encryption runs. Systems still go down. And the flaws identified are correctable; a future version that fixes them, distributed through the same network that already has thousands of affiliates, would be significantly more dangerous. This group is worth watching.
Organizations with exposure to the recent TeamPCP supply-chain attacks, which targeted widely used developer tools including Trivy, KICS, LiteLLM, and Telnyx, should treat credential rotation as an immediate priority.
Eli Smadja is Group Manager at Check Point Research.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Featured image: Unsplash
The risks in everyday charging are rarely obvious, that is why they are often ignored