Don't pay Vect a ransom - your data's likely already wiped out
(2026/04/28)
- Reference: 1777401391
- News link: https://www.theregister.co.uk/2026/04/28/dont_pay_vect_a_ransom/
- Source link:
Organizations hit by the wave of Trivy and LiteLLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research. That's because the ransomware Vect uses isn't actually ransomware at all, but a wiper that destroys any file larger than 128KB.
Vect's leak site lists 25 organizations since January, and four since March, which is when the extortions from the supply chain attacks began. It's unclear, however, how many - if any - of the listed orgs are tied to Trivy and LiteLLM-related compromises.
"On April 15, the group claimed two larger victims, Guesty (700GB) and S&P Global (250GB), allegedly tied to earlier TeamPCP compromises," Eli Smadja, group manager at Check Point Research, told The Register . "However, these claims cannot be independently verified, and there is no confirmed visibility into how many of these cases resulted in successful ransom payments versus data being leaked without payment."
[1]
Neither Guesty nor S&P Global responded to The Register 's inquiries.
[2]
[3]
Vect is one of the crime crews partnering with TeamPCP to leak data and extort victims of the ongoing attacks that infected [4]Trivy , [5]LiteLLM , [6]Checkmarx , and [7]Telnyx .
After initially compromising the security and developer tools, infecting them with self-propagating credential-stealing malware, TeamPCP and Vect announced their new partnership on BreachForums, bragging: "we will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns."
[8]
Plus Vect announced a partnership with the data leak site itself, and said that every registered BreachForums user can use Vect's ransomware, negotiation platform, and website.
So Check Point researchers [9]opened a BreachForums account , got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code - "not technically sophisticated" and "amateur execution" are how Check Point's research team describes the crims - and they appear to have accidentally written a data wiper.
Instead of encrypting large files, which is what ransomware is supposed to do, Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB).
[10]Ongoing supply-chain attack 'explicitly targeting' security, dev tools
[11]AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack
[12]1K+ cloud environments infected following Trivy supply chain attack
[13]Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
"Full recovery is impossible for anyone, including the attacker," the security analysts wrote. "At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions."
The ransomware, as advertised, includes Windows, Linux, and ESXi variants. All share the same encryption design built on libsodium, the same file-size thresholds, the same four-chunk logic, and the same flaw: The encryption implementation discards three of four decryption nonces for every file larger than 128 KB.
[14]
In addition to the nonce-handling flaw, the malware analysts say they spotted "multiple" other bugs and design failures across all ransomware variants, suggesting that even criminals can't vibe code their way to a successful operation. As the researchers note: "The authors know what features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all." ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[5] https://www.theregister.com/2026/03/24/trivy_compromise_litellm/
[6] https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/
[7] https://www.theregister.com/2026/03/30/telnyx_pypi_supply_chain_attack_litellm/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
[10] https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/
[11] https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/
[12] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[13] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
Vect's leak site lists 25 organizations since January, and four since March, which is when the extortions from the supply chain attacks began. It's unclear, however, how many - if any - of the listed orgs are tied to Trivy and LiteLLM-related compromises.
"On April 15, the group claimed two larger victims, Guesty (700GB) and S&P Global (250GB), allegedly tied to earlier TeamPCP compromises," Eli Smadja, group manager at Check Point Research, told The Register . "However, these claims cannot be independently verified, and there is no confirmed visibility into how many of these cases resulted in successful ransom payments versus data being leaked without payment."
[1]
Neither Guesty nor S&P Global responded to The Register 's inquiries.
[2]
[3]
Vect is one of the crime crews partnering with TeamPCP to leak data and extort victims of the ongoing attacks that infected [4]Trivy , [5]LiteLLM , [6]Checkmarx , and [7]Telnyx .
After initially compromising the security and developer tools, infecting them with self-propagating credential-stealing malware, TeamPCP and Vect announced their new partnership on BreachForums, bragging: "we will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns."
[8]
Plus Vect announced a partnership with the data leak site itself, and said that every registered BreachForums user can use Vect's ransomware, negotiation platform, and website.
So Check Point researchers [9]opened a BreachForums account , got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code - "not technically sophisticated" and "amateur execution" are how Check Point's research team describes the crims - and they appear to have accidentally written a data wiper.
Instead of encrypting large files, which is what ransomware is supposed to do, Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB).
[10]Ongoing supply-chain attack 'explicitly targeting' security, dev tools
[11]AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack
[12]1K+ cloud environments infected following Trivy supply chain attack
[13]Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
"Full recovery is impossible for anyone, including the attacker," the security analysts wrote. "At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions."
The ransomware, as advertised, includes Windows, Linux, and ESXi variants. All share the same encryption design built on libsodium, the same file-size thresholds, the same four-chunk logic, and the same flaw: The encryption implementation discards three of four decryption nonces for every file larger than 128 KB.
[14]
In addition to the nonce-handling flaw, the malware analysts say they spotted "multiple" other bugs and design failures across all ransomware variants, suggesting that even criminals can't vibe code their way to a successful operation. As the researchers note: "The authors know what features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all." ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[5] https://www.theregister.com/2026/03/24/trivy_compromise_litellm/
[6] https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/
[7] https://www.theregister.com/2026/03/30/telnyx_pypi_supply_chain_attack_litellm/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
[10] https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/
[11] https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/
[12] https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
[13] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afEt_7mKMrJHrpqrHvKgwgAAAgE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
IGotOut
Re: Education is painful
Bit like the "lessons will be learned" after every
Anonymous Coward
Re: Education is painful
The people in charge, though? Those CTOs who denied resources needed to reach the unrealistic objectives they pulled out of their asses? Because of course with AI, more can be done with less?
Why, they'll get their bonuses, of course.
Gene Cash
There's 2 types of people
There are those that make backups, and there are those who have yet to lose irreplaceable data.
Throatwarbler Mangrove
Re: There's 2 types of people
Type three: those looking for plausible deniability.
elsergiovolador
Re: There's 2 types of people
There are those that make backups, and there are those who make two backups.
Education is painful
This current rash of malware has one good consequence : those companies destroyed by it are going to remember that they should have paid more attention to IT and security in general.
Yes, it's going to hurt. People are going to lose their jobs. It's unfortunate.
It's also the cost of waking up to the world as it is : a dangerous place where you need to ut up firewalls and barriers if you want to last.