Recent investigations by Check Point Research have uncovered troubling details about the ransomware known as Vect. Organizations that opted to pay Vect in hopes of recovering their data may have found their efforts futile, as the malware is not traditional ransomware but a wiper that destroys files larger than 128KB.
Nature of the Attack
Since January, Vect has been linked to a series of supply-chain compromises involving tools like Trivy and LiteLLM. The group’s leak site has identified 25 organizations affected, with four of those listed since March, coinciding with the onset of extortion efforts related to these supply chain attacks. However, it remains unclear how many of these organizations are directly connected to the Trivy and LiteLLM compromises.
Claims and Verification Challenges
On April 15, Vect claimed to have targeted two significant victims, Guesty and S&P Global, with data losses reported at 700GB and 250GB, respectively. These claims, however, cannot be independently verified, and there is no confirmed information regarding the number of successful ransom payments or whether data was leaked without payment. Neither Guesty nor S&P Global has responded to inquiries regarding these incidents.
Technical Flaws in Vect’s Malware
Check Point’s analysis indicates that Vect’s malware is poorly constructed. Instead of encrypting files, it permanently deletes any files larger than 131,072 bytes (128 KB). This flaw is consistent across all publicly available versions of Vect’s ransomware, which includes variants for Windows, Linux, and ESXi. The malware’s design incorporates a significant flaw in its encryption process, discarding decryption nonces for most files, thus preventing recovery.
Implications for Affected Organizations
As noted by Check Point, “Full recovery is impossible for anyone, including the attacker.” The implications of this finding are severe, as the wiper effectively destroys critical enterprise assets such as virtual machine disks, databases, and backups. The research team also identified multiple other bugs and design failures within the ransomware’s code, further complicating any potential recovery efforts.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
