This ransomware doesn't want your money, it wants to erase your data
Vect ransomware is worrying companies in the United States. Unlike common attacks, it doesn't just encrypt — in practice, it destroys large files permanently. Even if you pay the ransom, recovery may be impossible.
This changes everything. What seemed like a classic case of “pay and get it back” turned into a real risk of irreversible loss of critical information.
Official source: VECT: Ransomware by design, Wiper by accident – Check Point Research (April 28, 2026).
- Vect 2.0 acts more like a wiper than traditional ransomware because of serious flaws in the encryption code.
- Files larger than 131,072 bytes (128 KB) are permanently destroyed, making payment futile in most cases.
- It hits backups hard and works on Windows, Linux, and VMware ESXi environments.
- Immutable, isolated backups along with behavioral monitoring are the best defenses.
- Paying the ransom does not guarantee recovery and encourages more attacks.
This RaaS operation launched its affiliate program in late 2025 and gained traction in 2026. What makes Vect especially dangerous is the combination of double extortion and data-destroying technical defects.
How the Vect Ransomware Ages
Attackers enter via phishing, compromised credentials, or supply chain failures. They then steal data, disable protections and release the payload.
They directly target backups using commands like vssadmin to delete shadow copies and terminate services from Veeam and others. The malware runs in Safe Mode to evade detection and cleans system logs.
By the time you notice the problem, the damage has already been done to most of your important files.
The C++ locker contains the same critical flaws in the Windows, Linux and ESXi versions. For large files, it generates decryption nonces but discards most of them.
Deep Technical Analysis
- For files over 131,072 bytes, discards three of the four required nonces, making decryption impossible even for criminals themselves.
- Handles bcdedit to force execution in Safe Mode and avoid many endpoint protections.
- Run wevtutil to delete logs and use vssadmin against shadow copies.
- Targets multiple platforms with specific variants and exploits supply chain attacks.
- The bug turns Vect into a practical wiper, changing the economics of attacks and forcing total focus on prevention.
Vect vs other Ransomware
| Feature | Vect 2.0 | LockBit | Akira |
|---|---|---|---|
| Encryption Problem | Destroys large files | Reliable encryption | Standard double extortion |
| Target Platforms | Windows, Linux, ESXi | Mostly Windows | Multi-platform |
| Backup Attack | Very aggressive | Strong | Moderate |
| Recovery After Payment | Often impossible | Usually works | Variable |
| Active Period | 2025/2026 | Consolidated | Active 2025-2026 |
This table clearly shows why Vect poses a greater risk. Traditional recovery strategies often don't work here.
No solution is foolproof. Advanced tools fail if backups are not fully isolated from the production network.
Ransomware groups evolve quickly. Relying only on antivirus or simple MFA leaves big gaps. Paying ransom finances the crime and does not solve the problem with Vect.
Smaller companies often do not have the resources to implement robust segmentation and 3-2-1 backups with immutable copies.
Prioritize immutable backups stored off the main network or in the cloud with tightly controlled access. Test restores regularly.
Implement behavioral detection that identifies suspicious commands such as changes to bcdedit or termination of backup services. Limit administrative privileges and use phishing-resistant MFA.
Seek solutions with behavioral detection during backups and 24/7 monitoring via MDR. Providers with SOC 2 certification offer more confidence.
Carefully evaluate MDR and incident response services to reduce detection and response time.
Vect ransomware serves as a red alert for all companies. Its technical flaws transform a “normal” attack into permanent data loss. Prevention needs to be an absolute priority.
Invest now in isolated backups, real-time detection and tested recovery plans. The ransomware landscape will not improve on its own. Those who prepare today will be much safer tomorrow.
