A new ransomware strain called Vect is getting attention because of its links to TeamPCP and a public collaboration that gave every registered BreachForums member free access to its platform. But malware analysts say the group’s marketing is hiding a much bigger problem: a flaw that breaks the malware’s main function and turns it into a data wiper.
Check Point Research has been analyzing Vect, which first appeared in late 2025, and says it has found a serious encryption bug in the locker. Instead of acting like normal ransomware, which encrypts files and then restores them after payment in theory, Vect permanently destroys the information needed to reverse the process when it targets files larger than 128KB.
That size threshold matters because, in enterprise environments, it includes most important files such as virtual machine images, databases, backups, and archives. In other words, for many high-value files, Vect does not just lock data. It makes recovery impossible.
Eli Smadja, general manager at Check Point Research, said Vect is being sold as ransomware, but for most enterprise files it behaves like a destruction tool. He also said paying a ransom is not a recovery strategy in a Vect incident, because the decryptor cannot be built after the software runs. The only practical response is resilience: offline backups, tested recovery plans, and fast containment.
The flaw appears to have existed before Vect’s public 2.0 release and has not been fixed yet. According to Check Point Research, it affects all three versions aimed at ESXi, Linux, and Windows.
Coding mistakes
Check Point Research says Vect appears to have been built with a strong focus on presentation. It has a polished affiliate panel and real partnerships that make it look like a professional operation.
At the same time, the researchers found that several advertised features do not actually work. The ransomware claims to offer encryption speed settings, but those controls are non-functional.
Some of its security evasion tools are also broken. They are included in the build, but they do not activate, which makes analysis easier because researchers can run Vect in a sandbox without triggering meaningful evasions.
The researchers said these are not small mistakes. They are errors that basic testing should have caught, which suggests the group may care more about looking professional than building reliable malware.
There is also evidence that Vect may have been built on a leaked ransomware codebase from early 2022 or earlier rather than written from scratch. One clue is that Vect does not target Ukraine, a restriction often seen in older Russian-speaking ransomware families. That suggests the underlying code may predate the war.
What happens next
Vect’s leak site currently lists only a small number of victims, and those appear to come from TeamPCP’s earlier compromise of Aqua Security’s Trivy vulnerability scanner. That makes it hard to judge how active the group really is.
Even with its flaws, the malware is still dangerous. It can steal sensitive data, disrupt systems, and potentially become much worse if the broken parts are fixed later.
The advice for victims is simple: do not pay. Recovery should come from clean backups and other restoration methods, not ransom negotiations.
Organizations that may have been affected by TeamPCP’s supply chain attacks, including incidents involving KICS, LiteLLM, and Telnyx, should review their environments and rotate credentials immediately.
For defenders, Vect is a reminder that badly built ransomware can still cause real damage. It is worth monitoring closely.
