Overview
Vect is a Ransomware-as-a-Service operation that first appeared on Russian-language cybercrime forums in December 2025. By early 2026, it had executed confirmed attacks against organisations across technology, manufacturing, and financial services sectors after securing a high-profile partnership with BreachForums — the largest English-language cybercrime forum — and supply chain threat actor TeamPCP.
What separates Vect from most current RaaS operations is not its scale (though that is significant) but a critical design flaw disclosed by Check Point Research in May 2026: Vect 2.0’s encryption implementation destroys the decryption keys for files larger than 128KB. Organisations that pay the ransom cannot recover their data. This makes Vect functionally a wiper in almost every real-world deployment, regardless of operator intent.
The BreachForums Alliance
In early 2026, Vect’s operators made an announcement that had no direct precedent in documented RaaS history: every BreachForums member — estimated at over 300,000 accounts — was offered an immediate affiliate key with full operational support.
“From this day forward, every single BreachForums member will receive their own personal Vect Affiliation Key for immediate activation,” the announcement read. “Every member with initial access, and struggling with deploying ransomware, will receive help from the Vect support team.”
The intent was clear: convert BreachForums’ large population of aspiring threat actors — many with initial access capabilities but no ransomware infrastructure — into a distributed affiliate network at unprecedented scale. The offer combined access to:
- Vect ransomware builder (Windows, Linux, VMware ESXi variants)
- Encryption and negotiation infrastructure
- Technical support for deployment
- 80–88% affiliate revenue split
In practice, the effective affiliate pool is much smaller — most BreachForums accounts lack meaningful access to enterprise environments — but the announcement significantly lowered the barrier to entry for less technically sophisticated actors.
TeamPCP Supply Chain Integration
The second and more operationally significant partnership is with TeamPCP, a threat actor group known for compromising open-source software packages through dependency confusion, typosquatting, and direct repository compromise.
TeamPCP’s attacks create a supply chain of pre-positioned access: organisations that installed compromised packages gain a foothold for TeamPCP without being a direct phishing or vulnerability exploitation target. Vect formalised an arrangement where TeamPCP’s supply chain victims are passed to Vect affiliates as initial access — the victim organisation is already compromised, and the affiliate simply deploys ransomware into a prepared environment.
This combination — mass-market open-source supply chain access feeding into a mass-market RaaS affiliate model — represents a structural escalation of the industrialisation of ransomware operations. Earlier RaaS models required affiliates to independently acquire initial access; this arrangement pre-packages it.
The connection to the Trivy supply chain compromise (CVE-2026-33634) — a malicious code injection into Aqua Security’s widely used container scanning tool — is directly relevant: organisations affected by that supply chain attack who then encountered Vect ransomware found themselves targeted through the same pipeline.
Technical Profile
Ransomware architecture:
- Written in C++ from scratch — not derived from leaked LockBit, Conti, or other source code
- Targets Windows (x64), Linux, and VMware ESXi
- Self-propagating component that enumerates and spreads to accessible network shares
- Exfiltration prior to encryption (double extortion)
- Tor-based negotiation portal
The encryption flaw (Vect 2.0):
Check Point Research’s analysis identified a fundamental error in the symmetric encryption implementation. For files larger than approximately 128KB, the encryption routine fails to preserve the nonces (one-time values) required for decryption. The nonces are overwritten during the encryption process and are not included in the ransomware’s key exchange with the operator’s infrastructure.
The consequence: even if the operator has the private key and the victim pays in full, the decryption tool cannot recover files above 128KB. In any real enterprise environment, the vast majority of valuable files — databases, virtual machine images, document stores, code repositories — exceed 128KB. The data is cryptographically destroyed.
Check Point’s summary is unambiguous: “Companies that pay a ransom will not be able to recover most important files, not because the operator is uncooperative, but because the nonces required for decryption no longer exist.”
This appears to be an unintentional design error rather than deliberate destruction — Vect’s operators have a financial incentive for victims to recover files after paying. The bug appears to have been introduced in the 2.0 version of the encryptor.
Implications for Incident Response
The encryption flaw changes the calculus for organisations affected by Vect:
Do not pay the ransom. Beyond the normal reasons to avoid ransomware payment, Vect’s encryption flaw means payment provides no recovery benefit for the files that matter most. The ransom demand is effectively a pure revenue extraction that delivers nothing.
Backups are the only recovery path. Offline, tested, verified backups are the sole mechanism for recovering from a Vect attack. If backups are compromised or unavailable, the data is likely unrecoverable.
Report to law enforcement. The Vect/BreachForums/TeamPCP nexus is under active law enforcement investigation. Reporting provides intelligence that supports disruption operations.
Assess supply chain exposure. Given TeamPCP’s supply chain access role in feeding Vect affiliates, organisations should audit their software supply chains — particularly recently installed packages from npm, PyPI, or Docker Hub — for indicators associated with TeamPCP campaigns.
Group Assessment
| Factor | Assessment |
|---|---|
| Technical sophistication | Medium — custom C++ build, but with significant implementation errors |
| Operational scale | High — BreachForums affiliate pool, supply chain access pipeline |
| Financial motivation | High — designed for volume at scale |
| Victim recovery possible? | No — encryption flaw makes ransom payment non-viable |
| Active status | Confirmed active as of June 2026 |
| Sector targeting | Opportunistic — follows supply chain access rather than sector selection |