Attack Chain

1. Affiliate gains access to the VECT RaaS platform via BreachForums, after VECT announced the partnership with BreachForums in April 2026.
2. Affiliate builds a custom ransomware payload (Windows, Linux, or ESXi) via the VECT builder panel.
3. Ransomware binary is deployed to the target system.
4. The VECT ransomware begins encrypting files.
5. For files larger than 128 KB, the ransomware discards three of four decryption nonces due to a flaw in its encryption implementation.
6. Files are encrypted using ChaCha20-IETF (RFC 8439) without authentication.
7. A ransom note is displayed, demanding payment for decryption.
8. Due to the discarded nonces, files larger than 128KB are unrecoverable, even with the correct decryption key.

Impact

The VECT ransomware acts as a wiper for files larger than 128KB due to a flaw in its encryption process, causing permanent data loss. This includes enterprise assets such as VM disks, databases, documents and backups. The leak site has listed two victims, both originating from the TeamPCP supply chain attacks. If successful, the attack results in significant data loss.

Recommendation

• Monitor process creation events for executables with file names similar to legitimate system tools but located in unusual directories, which could indicate the presence of VECT ransomware on a system (see Sigma rule Detect VECT Ransomware Execution).
• Implement network monitoring to detect unusual outbound connections from systems, which might indicate lateral movement or communication with a command-and-control server.
• Deploy endpoint detection and response (EDR) solutions to detect and block suspicious file encryption activity on endpoints.
• Review and update incident response plans to include procedures for handling potential ransomware attacks, with a focus on data recovery and business continuity.