LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Vect

Vect Ransomware: Industrialised RaaS with a Fatal Encryption Flaw That Makes Data Unrecoverable

Vect is a new RaaS operation that partnered with BreachForums and supply chain attacker TeamPCP to scale rapidly. Check Point Research's analysis reveals a critical encryption bug: paying the ransom cannot recover your data.

By Ransomware Tracker ·
VectRaaSBreachForumsTeamPCPsupply chainencryption flawwiperransomware 2026
Threat Level
8/10
Sectors Targeted
technology
manufacturing
finance
critical-infrastructure
Ransomware Family
Vect

Overview

Vect is a Ransomware-as-a-Service operation that first appeared on Russian-language cybercrime forums in December 2025. By early 2026, it had executed confirmed attacks against organisations across technology, manufacturing, and financial services sectors after securing a high-profile partnership with BreachForums — the largest English-language cybercrime forum — and supply chain threat actor TeamPCP.

What separates Vect from most current RaaS operations is not its scale (though that is significant) but a critical design flaw disclosed by Check Point Research in May 2026: Vect 2.0’s encryption implementation destroys the decryption keys for files larger than 128KB. Organisations that pay the ransom cannot recover their data. This makes Vect functionally a wiper in almost every real-world deployment, regardless of operator intent.

The BreachForums Alliance

In early 2026, Vect’s operators made an announcement that had no direct precedent in documented RaaS history: every BreachForums member — estimated at over 300,000 accounts — was offered an immediate affiliate key with full operational support.

“From this day forward, every single BreachForums member will receive their own personal Vect Affiliation Key for immediate activation,” the announcement read. “Every member with initial access, and struggling with deploying ransomware, will receive help from the Vect support team.”

The intent was clear: convert BreachForums’ large population of aspiring threat actors — many with initial access capabilities but no ransomware infrastructure — into a distributed affiliate network at unprecedented scale. The offer combined access to:

  • Vect ransomware builder (Windows, Linux, VMware ESXi variants)
  • Encryption and negotiation infrastructure
  • Technical support for deployment
  • 80–88% affiliate revenue split

In practice, the effective affiliate pool is much smaller — most BreachForums accounts lack meaningful access to enterprise environments — but the announcement significantly lowered the barrier to entry for less technically sophisticated actors.

TeamPCP Supply Chain Integration

The second and more operationally significant partnership is with TeamPCP, a threat actor group known for compromising open-source software packages through dependency confusion, typosquatting, and direct repository compromise.

TeamPCP’s attacks create a supply chain of pre-positioned access: organisations that installed compromised packages gain a foothold for TeamPCP without being a direct phishing or vulnerability exploitation target. Vect formalised an arrangement where TeamPCP’s supply chain victims are passed to Vect affiliates as initial access — the victim organisation is already compromised, and the affiliate simply deploys ransomware into a prepared environment.

This combination — mass-market open-source supply chain access feeding into a mass-market RaaS affiliate model — represents a structural escalation of the industrialisation of ransomware operations. Earlier RaaS models required affiliates to independently acquire initial access; this arrangement pre-packages it.

The connection to the Trivy supply chain compromise (CVE-2026-33634) — a malicious code injection into Aqua Security’s widely used container scanning tool — is directly relevant: organisations affected by that supply chain attack who then encountered Vect ransomware found themselves targeted through the same pipeline.

Technical Profile

Ransomware architecture:

  • Written in C++ from scratch — not derived from leaked LockBit, Conti, or other source code
  • Targets Windows (x64), Linux, and VMware ESXi
  • Self-propagating component that enumerates and spreads to accessible network shares
  • Exfiltration prior to encryption (double extortion)
  • Tor-based negotiation portal

The encryption flaw (Vect 2.0):

Check Point Research’s analysis identified a fundamental error in the symmetric encryption implementation. For files larger than approximately 128KB, the encryption routine fails to preserve the nonces (one-time values) required for decryption. The nonces are overwritten during the encryption process and are not included in the ransomware’s key exchange with the operator’s infrastructure.

The consequence: even if the operator has the private key and the victim pays in full, the decryption tool cannot recover files above 128KB. In any real enterprise environment, the vast majority of valuable files — databases, virtual machine images, document stores, code repositories — exceed 128KB. The data is cryptographically destroyed.

Check Point’s summary is unambiguous: “Companies that pay a ransom will not be able to recover most important files, not because the operator is uncooperative, but because the nonces required for decryption no longer exist.”

This appears to be an unintentional design error rather than deliberate destruction — Vect’s operators have a financial incentive for victims to recover files after paying. The bug appears to have been introduced in the 2.0 version of the encryptor.

Implications for Incident Response

The encryption flaw changes the calculus for organisations affected by Vect:

Do not pay the ransom. Beyond the normal reasons to avoid ransomware payment, Vect’s encryption flaw means payment provides no recovery benefit for the files that matter most. The ransom demand is effectively a pure revenue extraction that delivers nothing.

Backups are the only recovery path. Offline, tested, verified backups are the sole mechanism for recovering from a Vect attack. If backups are compromised or unavailable, the data is likely unrecoverable.

Report to law enforcement. The Vect/BreachForums/TeamPCP nexus is under active law enforcement investigation. Reporting provides intelligence that supports disruption operations.

Assess supply chain exposure. Given TeamPCP’s supply chain access role in feeding Vect affiliates, organisations should audit their software supply chains — particularly recently installed packages from npm, PyPI, or Docker Hub — for indicators associated with TeamPCP campaigns.

Group Assessment

FactorAssessment
Technical sophisticationMedium — custom C++ build, but with significant implementation errors
Operational scaleHigh — BreachForums affiliate pool, supply chain access pipeline
Financial motivationHigh — designed for volume at scale
Victim recovery possible?No — encryption flaw makes ransom payment non-viable
Active statusConfirmed active as of June 2026
Sector targetingOpportunistic — follows supply chain access rather than sector selection
// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting