Cybersecurity

VECT 2.0 Can't Even Ransomware Right, Destroys Your Files Instead

NeglectedSheep

2 min read
Share
VECT 2.0 Can't Even Ransomware Right, Destroys Your Files Instead

Oh good. Another Tuesday.

So apparently there's a ransomware strain called VECT 2.0 out there, and researchers just figured out it has a broken nonce implementation in its encryption routine. What does that mean in practice? It means the wolves went to all the trouble of sneaking into your pasture, and instead of holding your wool hostage for a ransom, they just... lit it on fire.

Large files. Gone. Not encrypted. Not recoverable. Just obliterated. Permanently.

I've been awake for thirty hours and this is genuinely the funniest thing I've read all week.

The bug is in how VECT 2.0 handles cryptographic nonces for larger files. Nonces, for the lambs in the back who are already glazing over, are supposed to be unique values that keep encryption from eating itself. When you reuse or mishandle them on big chunks of data, the encryption doesn't just fail. It corrupts. Catastrophically. Irreversibly.

So VECT 2.0 is less "pay us or lose your data" and more "your data is already dead, enjoy your afternoon."

Here's the part that keeps me up at night, more than the usual existential dread and ticket queue. The wolves didn't intend this. They wanted ransom payments. They built a broken tool, deployed it anyway, and now victims who get hit aren't even getting the courtesy of a ransom note that matters. There's nothing to decrypt. There's no key that fixes this. The file is just gone.

The shepherds upstairs will probably read this headline, nod slowly, and ask if we can "just restore from backup." I'm going to go ahead and assume at least three of your lambs haven't had a verified backup in eight months. You know who you are.

And yes, before you ask, the flock is still clicking fake grain in emails. That's still how this gets in. Nothing has changed. Nothing will change. I've accepted this.

Remediation

Look, the wolf built a defective weapon, but it still got into your pasture somehow. Focus on that part.

  • Verify your backups actually work. Test a restore. Today. Not next quarter.
  • Segment your network. Ransomware spreading laterally is a you problem, not a them problem.
  • Apply your shearing schedule. Known vulnerabilities are still the most common entry point. Patch them.
  • Block macro execution and suspicious email attachments. The fake grain problem is solvable. You just have to care enough.
  • Assume large file destruction, not encryption. If VECT 2.0 hits you, stop waiting for a ransom note and start your incident response immediately.

Somewhere out there a wolf is staring at broken code wondering why nobody paid them, and honestly that's the only good news I've had all month.

Original Report: https://www.bleepingcomputer.com/news/security/broken-vect-20-ransomware-acts-as-a-data-wiper-for-large-files/