{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/telnyx/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi","Trivy","KICS","LiteLLM"],"_cs_severities":["high"],"_cs_tags":["ransomware","wiper","raas"],"_cs_type":"threat","_cs_vendors":["VMware","Check Point","Checkmarx","Telnyx"],"content_html":"\u003cp\u003eVECT Ransomware is a Ransomware-as-a-Service (RaaS) that emerged in December 2025 and gained notoriety after partnering with TeamPCP in March 2026. This partnership aimed to exploit victims of TeamPCP\u0026rsquo;s supply chain attacks, which injected malware into software packages like Trivy, Checkmarx’ KICS, LiteLLM and Telnyx. VECT 2.0, released in February 2026, targets Windows, Linux, and ESXi, built from a single flawed codebase using libsodium and the ChaCha20-IETF cipher. A critical flaw causes the ransomware to discard decryption nonces for files larger than 128KB, resulting in data corruption and irrecoverable files. Advertised encryption speed modes (\u0026ndash;fast, \u0026ndash;medium, \u0026ndash;secure) are parsed, but ignored.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAffiliate gains access to the VECT RaaS platform via BreachForums, after VECT announced the partnership with BreachForums in April 2026.\u003c/li\u003e\n\u003cli\u003eAffiliate builds a custom ransomware payload (Windows, Linux, or ESXi) via the VECT builder panel.\u003c/li\u003e\n\u003cli\u003eRansomware binary is deployed to the target system.\u003c/li\u003e\n\u003cli\u003eThe VECT ransomware begins encrypting files.\u003c/li\u003e\n\u003cli\u003eFor files larger than 128 KB, the ransomware discards three of four decryption nonces due to a flaw in its encryption implementation.\u003c/li\u003e\n\u003cli\u003eFiles are encrypted using ChaCha20-IETF (RFC 8439) without authentication.\u003c/li\u003e\n\u003cli\u003eA ransom note is displayed, demanding payment for decryption.\u003c/li\u003e\n\u003cli\u003eDue to the discarded nonces, files larger than 128KB are unrecoverable, even with the correct decryption key.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe VECT ransomware acts as a wiper for files larger than 128KB due to a flaw in its encryption process, causing permanent data loss. This includes enterprise assets such as VM disks, databases, documents and backups. The leak site has listed two victims, both originating from the TeamPCP supply chain attacks. If successful, the attack results in significant data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for executables with file names similar to legitimate system tools but located in unusual directories, which could indicate the presence of VECT ransomware on a system (see Sigma rule \u003ccode\u003eDetect VECT Ransomware Execution\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual outbound connections from systems, which might indicate lateral movement or communication with a command-and-control server.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to detect and block suspicious file encryption activity on endpoints.\u003c/li\u003e\n\u003cli\u003eReview and update incident response plans to include procedures for handling potential ransomware attacks, with a focus on data recovery and business continuity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T13:03:01Z","date_published":"2026-04-28T13:03:01Z","id":"/briefs/2026-04-vect-ransomware/","summary":"VECT 2.0 ransomware, a RaaS offering, permanently destroys large files due to an encryption flaw, discarding decryption nonces for files above 128 KB, rendering them unrecoverable and effectively acting as a wiper; it uses raw ChaCha20-IETF with no authentication.","title":"VECT Ransomware Destroys Files Due to Encryption Flaw","url":"https://feed.craftedsignal.io/briefs/2026-04-vect-ransomware/"}],"language":"en","title":"CraftedSignal Threat Feed — Telnyx","version":"https://jsonfeed.org/version/1.1"}