- New ransomware variant found to work as a destructive data wiper
- Faulty nonce handling causes files larger than 128KB to be permanently lost
- Despite being marketed as RaaS, victims cannot recover data even if they pay
VECT 2.0, a relatively new ransomware variant offered for sale on dark web forums, does not actually work and functions as a data wiper rather than an encryptor, researchers warn.
In a new in-depth report, cybersecurity team Check Point explained that the problem is in the way VECT 2.0 handles “nonces”: random values needed to properly encrypt and then decrypt data. Apparently, the malware splits large files into fragments, but instead of using new memory space each time, it reuses it, thus overwriting the previous one.
In other words, you lose the “keys” to most of the file as you move along. Only the last part of the file can be recovered, while the rest is permanently destroyed. So even if the victims decide to pay the ransom demand, they still won’t be able to recover their files, nor could the threat actors help with that even if they wanted to.
Article continues below.
Working as a team with TeamPCP
To make matters worse, what the encryptor considers a “large file” is also incorrect. Check Point says that anything larger than 128kb, which is ridiculously small by today’s standards, will end up being deleted.
“With a threshold of just 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not only VM disks, databases and backups, but also routine documents, spreadsheets and mailboxes. In practice, almost nothing a victim would like to recover falls below this limit,” Check Point warned.
VECT has reportedly been advertising on dark web forums lately, offering a ransomware-as-a-service model and inviting affiliates and partnering with TeamPCP, a relatively young threat actor that has already made a name for itself with successful attacks against Trivy, LiteLLM, Telnyx, and the European Commission.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
