Broken VECT 2.0 Ransomware Turns Large Files into Irrecoverable Wipes, Threatening Enterprise Data
What Happened — Researchers discovered that the VECT 2.0 ransomware, recently advertised on BreachForums, contains a flawed nonce‑handling routine. When encrypting files larger than ~128 KB, each chunk overwrites the previous nonce, leaving only the final 25 % of the file recoverable. The loss of nonces means the attackers cannot even decrypt the remaining data for ransom payment.
Why It Matters for TPRM —
- The bug effectively turns the ransomware into a data‑wiper, exposing any third‑party that stores or processes large files (VM images, databases, backups) to catastrophic loss.
- Vendors that provide backup, cloud‑storage, or SaaS platforms may inadvertently become the delivery vector for VECT 2.0 via supply‑chain compromises.
- The partnership between VECT operators and the TeamPCP group widens the attack surface, linking ransomware to broader supply‑chain intrusion campaigns.
Who Is Affected — Enterprises across all sectors that rely on large‑file storage, including cloud‑hosting providers, backup‑as‑a‑service vendors, SaaS applications handling VM disks or database dumps, and any MSPs managing customer data.
Recommended Actions —
- Verify that all third‑party storage and backup providers have immutable, version‑controlled snapshots that can survive ransomware‑induced wipes.
- Conduct a review of file‑encryption policies; enforce size‑based segmentation or alternative encryption schemes that do not reuse nonce buffers.
- Update incident‑response playbooks to include “data‑wiper” scenarios and test restoration from clean backups.
Technical Notes — Attack vector: malicious ransomware payload delivered via compromised supply‑chain or phishing. No known CVE; the flaw is a coding error in the nonce buffer. Affected data types: any file >128 KB (VM disks, database files, backups, email archives). Source: BleepingComputer