VECT ransomware will provide the keys to its ransomware to anyone willing to deploy it. There’s just one problem: it isn’t even capable of decrypting locked files. Don’t pay the ransom, researchers warn.

Check Point Research (CPR) has analyzed the VECT ransomware and found that it destroys files larger than 128 kilobytes rather than encrypting them.

“Full recovery is impossible for anyone, including the attacker,” the report on VECT ransomware warns.

It's not by design – it's an inadvertent flaw. The two leading theories are that this code was generated by AI or reused from an old codebase. The ransomware doesn’t target CIS countries, but hasn’t removed Ukraine from the exclusions list, which is uncommon since the start of the Russian war in Ukraine, hinting at possible old code reuse.

VECT ransomware emerged only in late 2025 and has already participated in a few major breaches. It announced a partnership with TeamPCP, a threat actor, and BreachForums, the infamous illicit marketplace, stating its goal of building the largest criminal enterprise the world has ever seen.

Rather than recruiting a small, vetted group of criminal partners in the traditional ransomware model, they opened their doors to everyone.

Cybernews previously reported that hackers were recruiting all dark web forum users – over 300,000 – and offering ransomware keys for free.

“On paper, this looked like a serious and scalable threat. In practice, CPR gained access to the affiliate panel and builder, analyzed all three payloads, and found something the group’s own operators may not know: their software is broken in a way that makes it far more destructive, and far less profitable, than intended.”

The researchers suggest that the malware should be classified as a wiper, not ransomware. Wipers make data unrecoverable and are used in destructive cyber operations.

All versions of VECT ransomware are affected by the same flaw, including Windows, Linux, and VMware ESXi.

The malware includes many more flaws. For example, it allows selecting the encryption speed but ignores it and works identically every time. Some built-in security evasion tools are never activated.

The group apparently prioritized design and appearance over actual functionality.

Curious what others think about this story? Contribute your thoughts to the debate below.

“If you’ve been hit: Do not pay. For large files, which include the vast majority of business-critical data, there is no functional decryptor, and there never will be,” the researchers warn in a blog post.

“Paying transfers money to criminals and returns nothing. Focus on recovery from clean backups and engage your incident response team immediately.”

---

Unlock more exclusive Cybernews content on YouTube.