- A new ransomware variant was found to act as a destructive data wipe
- Improper handling results in permanent loss of files larger than 128 KB
- Despite being marketed as RaaS, victims cannot recover data even if they pay
VECT 2.0, a relatively new ransomware variant offered for sale on dark web forums, is actually broken and acts as a data wipe instead of an encryption one, researchers warn.
In a new in-depth report, cybersecurity outfit Check Point explained that the problem is the way VECT 2.0 handles “nonces” — random values needed to properly encrypt and later decrypt the data. Apparently, the malware splits large files into chunks, but instead of using new memory space for each nonce, it reuses the same one, thus overwriting the previous one.
In other words, it loses the “keys” for most parts of the file as it goes. Only the last part of the file can be recovered, while the rest is permanently destroyed. So even if the victims decide to pay the ransom demand, they still won’t be able to recover their files, and the threat actors wouldn’t be able to help even if they wanted to.
The article continues below
Cooperation with TeamPCP
To make matters worse, what the encryptor considers a “large file” is also wrong. Check Point says that anything over 128kb, which is ridiculously small by today’s standards, will end up being deleted.
“At a threshold of just 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file includes not only VM disks, databases and backups, but routine documents, spreadsheets and mailboxes. In practice, almost nothing a victim would care to restore falls below this limit,” Check Point warned.
VECT has reportedly advertised itself on dark web forums recently, offering a Ransomware-as-a-Service model and inviting affiliates, teaming up with TeamPCP, a relatively young threat actor that has already made a name for itself with successful attacks against Trivy, LiteLLM, Telnyx and the European Commission.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
