A ransomware operation that partnered with one of the most prolific supply chain attack groups of 2026 has been undone by its own incompetence, with security researchers finding that a fundamental programming error turns its software into a data destruction tool that makes recovery impossible for anyone, including the criminals themselves.
Check Point Research said on Monday that VECT 2.0, a ransomware-as-a-service operation that first appeared on a Russian-language cybercrime forum in December 2025, permanently destroys any file larger than 128 kilobytes rather than locking it in a reversible way.
At that threshold, virtually every file an enterprise would care about, including virtual machine images, databases, backups, spreadsheets and documents, is irretrievably lost the moment the software runs.
"VECT is being marketed as ransomware, but for any file over 131KB, which is most of what enterprises actually care about, it functions as a data destruction tool," said Eli Smadja, group manager at Check Point Research.
The flaw stems from a coding error in how the software handles the unique values needed to reverse its own scrambling process.
When processing large files, the software generates four separate values but writes each one to the same memory location, meaning each new value overwrites the last.
Only the final value is preserved, leaving the rest of the file permanently unrecoverable.
"Even if a victim were to pay the attackers to unlock their data, no one can undo the damage because the information needed to reverse the process no longer exists," the researchers wrote.
The error is identical across all three versions of VECT targeting Windows, Linux and VMware ESXi systems, and has been present in every known release of the software, suggesting its operators have never identified it.
Check Point believes the group behind VECT are novices rather than experienced operators, and noted that portions of the code were likely generated with the help of artificial intelligence tools or adapted from an older codebase without adequate understanding of how it works.
Researchers found numerous additional defects: advertised security features that are parsed in the code but never actually activated, protective routines that cancel each other out, and the software's own logs misidentifying which method it uses to scramble files.
Despite the technical failings, VECT has built an ambitious distribution network.
The group partnered with TeamPCP, the threat actor behind supply chain attacks in March that compromised widely used software packages including Trivy and LiteLLM, and announced a deal with the BreachForums cybercrime marketplace that gives every registered user free access to deploy the software.
Related reading
- Anthropic's Claude Mythos faces questions over value despite strong cybersecurity scores
- World Cup prompts wide cyber security preparations
- OpenAI warns macOS users to update apps after supply chain security breach
VECT's leak site has claimed 25 victims since January, including two larger targets in April that the group says are linked to the TeamPCP supply chain compromises, though Check Point could not independently verify those claims.
Check Point's central message to affected organisations is blunt: do not pay.
The recap
- VECT ransomware discards decryption nonces for large files.
- Files larger than 128KB are split into four encrypted chunks.
- Researchers warn operators could update VECT and relaunch.
