Vect two point zero The wiper camouflaged Ransomware that irreversibly erases data

The campaign known as VECT 2.0 is forcing organizations to rethink what they mean by "ransomware": far from being just an encryption and extortion tool, a technical design error acts in too many cases as a irreversible draft data. Security firm and specialized media investigations have shown that the variants for Windows, Linux and ESXi divide large files into encrypted fragments with ChaCha20-IETF, but only store the nonce corresponding to the last fragment, dismissing the three nonces needed to rebuild most of the content. The critical threshold is 131,072 bytes; any file larger than that size is, in practice, unrecoverable even if requested and paid for.

This technical failure makes VECT 2.0 a Whiper camouflage of Ransomware:: It is not a question of criminals refusing to return the keys, but of not having the information necessary to build a functional decrypt. The direct consequence for victims is brutally simple: paying does not guarantee recovery. The usual negotiating recommendations become ineffective; the strategy must move towards containment, recovery from reliable copies and forensic preservation of evidence.

On the other hand, VECT 2.0 is also an experiment in the industrialization of digital crime. It is launched as RaaS with affiliate program (with an entry fee reported in Monero), exemptions for applicants from certain regions, and agreements with forums and filtration groups to facilitate access to stolen credentials and reduce the technical barrier of attack. This combination - access to exfiltered data + control panel + affiliates - is the recipe for scaling up incidents in volume and speed, and increases the likelihood of incidents targeting supply chains and critical networks.

In addition to the cryptographic question, the variants show worrying features that facilitate the spread and evade the analysis: safe mode persistence on Windows, remote execution templates and SSH side movements on ESXi / Linux, and geofencing that prevents infecting certain jurisdictions. Interestingly, the list of exclusions includes countries that other Ransomware families are trying to avoid, which has led researchers to speculate on reused code, IA-assisted generation or simple errors in geographical logic.

What should the security officers do today? The first thing is to assume that, in the face of an infection with this family, cannot be trusted in payment to recover data. It is imperative to activate response plans that prioritize impact containment: isolate affected systems, preserve forensic images of disks and logs, and proceed to a restoration from off-line or immobile backup (WORM / immutable) that have been tested in previous exercises. Cloud copies should be combined with integrity controls and versions to prevent malware from encryption or corrupt.

In parallel, equipment should review technical controls that limit the risk of spread: network segmentation, minimum privilege in administrative accounts, disable exposed unnecessary services (e.g. SMB or SSH without management), widespread application of MFA, and early detection with EDR / SIEM that alerts about massive file modifications, changes in boot policy or anomalous writings in VSS and backups. No less important is the rotation and mediation of committed credentials and the review of third-party suppliers and access after a possible supply-chain campaign.

From governance, organizations must document decisions and communications: notify regulators and affected if policy requires, coordinate with security forces and share indicators with the response community (STI). It is also time to invest in resilience: off-line backups policies, regular recovery tests, clear cyber insurance on exclusions, and risk assessments that contemplate irreparable mass erasing scenarios.

Finally, the emergence of VECT 2.0 highlights two strategic risks: the democratization of cybercrime by RaaS and markplaces, and the possibility of technical errors or code generated by IA that turn tools into weapons of accidental destruction. The organizations must address both: strengthen technical controls and adopt a proactive intelligence stance on threats and security of the supply chain to reduce the attack surface. In order to expand technical information and public alerts, the investigations and releases of specialized security and press laboratories, such as the resources of Check Point Research and the media such as The Hacker News, as well as publications from sectoral agencies such as the Data Security Council of India and market intelligence analysis, can be consulted. Check Point Research, The Hacker News and Data Security Council of India (DSCI).