Widget HTML #1

WIFI NGANGGUR = CUAN

Ubah WiFi Tidak Terpakai Jadi Passive Income

Internet rumah yang nganggur bisa menghasilkan uang otomatis setiap hari. Tinggal nyalakan Honeygain dan biarkan cuan berjalan sendiri.

MULAI GRATIS
✔ Tanpa modal tambahan
✔ Jalan otomatis 24 jam
✔ Cocok untuk WiFi rumah & kos
Home / technology

Ransomware Erases Files Over 128KB, Blocking Decryption

The Flawed Ransomware: VECT's Critical Bug

VECT, a ransomware-as-a-service (RaaS) that first appeared online in December 2025, has been found to have a significant bug in its code. According to Check Point Research (CPR), the ransomware unintentionally became a wiper after it accidentally discarded some nonces required to decrypt files larger than 128KB. This means that even if a victim pays the attackers to unlock their data, the damage cannot be undone because the necessary decryption code is no longer available.

How the Bug Works

The ransomware automatically splits any file over 128KB into four parts and encrypts each with a random 12-byte nonce stored in a shared output buffer. However, the four nonces share the same buffer address, which results in each new nonce overwriting the previous one. As a result, only the latest nonce (or the last of the four chunks) is preserved and added to the file. This means that even if the attacker provides the decryption key, it will not work because the key is based on the missing nonces.

Additional Issues in the Code

CPR also identified several other problems within the VECT code. These include issues with how the program uses CPU threads, string obfuscation routines that cancel each other out, and misidentified ciphers in its public reports. VECT operators can choose between three encryption methods—fast, medium, and secure—but while the choice is parsed into the code, it is never actually implemented.

Another unusual feature of the malware is that it includes Ukraine as a member of the Commonwealth of Independent States (CIS). Most organizations have removed Ukraine from their lists since Russia's invasion in 2022.

A Sophisticated Appearance with Underlying Problems

Despite being presented as a sophisticated tool, the group behind VECT appears to have made critical errors in its development. The malware has multi-platform capabilities, targeting Windows, Linux, and ESXi virtual machines. It has also partnered with other threat actors like TeamPCP and built its own affiliate network through BreachForums.

However, CPR theorizes that the organization behind VECT either used AI tools to generate parts of its code or relied on an older code base as a starting point for its ransomware.

Previous Examples of Ransomware Mistakes

This is not the first time a major ransomware group has made a programming error. Earlier this year, Nitrogen ransomware had a mistake that overwrote part of the encryption public keys with zeros. This meant that even with the private key, the mangled public keys made it impossible to undo the encryption. This issue was likely caused by a common off-by-one error, possibly due to a developer's mistake.

Implications for the Cybersecurity Community

Although these mistakes may have backfired on the creators, they do not mean that the community should ignore threats like VECT. Researchers note that the people behind it have ambition and understand what effective ransomware should look like. They could potentially update VECT to fix the issues identified in CPR’s report and release a more effective version in the future.

More importantly, VECT already has an existing distribution system, making it easier for the group to infect more systems without starting from scratch.

Conclusion

The discovery of VECT’s critical bug highlights the importance of continuous monitoring and analysis of ransomware threats. While the current version of the malware may have flaws, its potential for future development and widespread impact cannot be ignored. Cybersecurity professionals must remain vigilant and prepared to respond to evolving threats.