Cybersecurity researchers have uncovered a major flaw in the VECT 2.0 ransomware that causes the malware to permanently destroy large files instead of properly encrypting them, making recovery impossible even if victims decide to pay a ransom.

The ransomware operation has reportedly been promoted on newer versions of BreachForums, where the group invited users to join its affiliate program. Interested participants were allegedly given access keys through private messages.

VECT operators also announced a collaboration with TeamPCP, the threat actor linked to recent supply-chain attacks targeting Trivy, LiteLLM, Telnyx, and even the European Commission. According to the announcement, the partnership aimed to exploit victims affected by those supply-chain breaches by deploying ransomware payloads and expanding attacks against additional organizations.

Researchers found that VECT 2.0 contains a serious issue in how it manages encryption nonces during the file-encryption process. Although the ransomware was designed to speed up encryption for large files, the implementation accidentally overwrites nonce data during each encryption cycle.

Because the malware uses the same memory buffer repeatedly for nonce generation, every newly created nonce replaces the previous one. Once the encryption process is completed, only the final nonce remains stored and is written to disk.

This mistake means that only the last 25% of an affected file can potentially be recovered, while the remaining portions become permanently inaccessible due to the missing nonces.

The problem becomes even more severe because the lost nonces are not sent back to the attackers either. As a result, even the ransomware operators themselves would be unable to decrypt victim files after payment.

Security researchers warned that the flaw effectively transforms the ransomware into a destructive data wiper, particularly in enterprise environments where most valuable assets exceed the malware’s file-size threshold.

“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point says.

Researchers also confirmed that the same nonce-management vulnerability exists across all VECT 2.0 variants, including Windows, Linux, and ESXi versions, meaning the irreversible file destruction behavior impacts every platform supported by the ransomware.