Skip to content
Ransomware group EsxiLinuxWindows

Vect

Vect is a financially motivated ransomware-as-a-service operation that emerged in late December 2025 and began claiming victims in early 2026.

Profile source: Mallory opens in a new tab

Vect

Family profile

Vect is a financially motivated ransomware-as-a-service operation that emerged in late December 2025 and began claiming victims in early 2026. It is a double-extortion ransomware family with affiliate-oriented infrastructure including a leak site, negotiation portal, and recruitment model that lowered barriers to entry for affiliates. Vect is associated with Russian-language cybercrime forum activity and has been publicly linked to an operational partnership with TeamPCP, in which TeamPCP harvested credentials and access through software supply-chain compromises and Vect used that downstream access for ransomware deployment and extortion. At least one Vect deployment has been reported as using TeamPCP-sourced credentials, and victim claims tied to that access pipeline have appeared on Vect’s leak infrastructure.

Vect is a cross-platform C++ ransomware family targeting Windows, Linux, and VMware ESXi environments. Reported capabilities include pre-encryption data theft for extortion, process termination, shadow-copy and recovery tampering, Safe Mode boot manipulation on Windows, LAN scanning, and lateral movement via SMB, WinRM, remote service creation, scheduled tasks, and SSH on non-Windows systems. It is positioned for enterprise intrusions and supports attacks against virtualized infrastructure, including handling of virtual disk files.

Technical analysis of Vect 2.0 identified a severe cryptographic implementation flaw affecting Windows, Linux, and ESXi variants. Large files are processed in chunks, but nonce-handling defects cause required decryption material for earlier chunks to be lost, making many files larger than 128 KB permanently unrecoverable even by the operators. As a result, Vect incidents can behave operationally like destructive wiper events rather than recoverable ransomware cases. Additional analysis has noted weak engineering practices and immature implementation quality despite comparatively developed criminal infrastructure. Organizations encountering Vect should treat it as both ransomware and potentially destructive malware, especially where exposed credentials from TeamPCP-linked CI/CD and supply-chain compromises may have enabled access.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Lateral Movement
  • Reconnaissance
  • Scanning

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

3 named in public reporting
TeamPCP

Arctic Wolf Labs assessed the group may operate in part as an Initial Access Broker (IAB), selling harvested credentials to other threat actors including the CipherForce and Vect ransomware affiliates.

LAPSUS$

The current pause, combined with the Vect ransomware affiliate announcement, suggests TeamPCP has shifted primary operational focus from supply chain expansion to monetization of existing credential harvests.

Vect

Check Point researchers opened a BreachForums account, got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code ... and they appear to have accidentally written a data wiper. Instead of encrypting large files ... Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB).

Exploited software

Vulnerabilities linked to Vect

1 CVEs

MITRE ATT&CK

Vect in ATT&CK

57 distinct techniques

Techniques

57 techniques
T1486 Data Encrypted for Impact T1485 Data Destruction T1490 Inhibit System Recovery T1195 Supply Chain Compromise T1078 Valid Accounts T1537 Transfer Data to Cloud Account T1562.001 Disable or Modify Tools T1542.003 Bootkit T1021.006 Windows Remote Management T1046 Network Service Discovery T1021 Remote Services T1090 Proxy T1021.002 SMB/Windows Admin Shares T1195.002 Compromise Software Supply Chain T1021.003 Distributed Component Object Model T1039 Data from Network Shared Drive T1082 System Information Discovery T1083 File and Directory Discovery T1027 Obfuscated Files or Information T1059.001 PowerShell T1489 Service Stop T1135 Network Share Discovery T1059.003 Windows Command Shell T1555 Credentials from Password Stores T1547.001 Registry Run Keys / Startup Folder T1090.003 Multi-hop Proxy T1053.005 Scheduled Task T1070.004 File Deletion T1562.009 Safe Mode Boot T1561 Disk Wipe T1133 External Remote Services T1021.004 SSH T1005 Data from Local System T1112 Modify Registry T1529 System Shutdown/Reboot T1106 Native API T1482 Domain Trust Discovery T1569.002 Service Execution T1018 Remote System Discovery T1649 Steal or Forge Authentication Certificates T1053 Scheduled Task/Job T1562 Impair Defenses T1047 Windows Management Instrumentation T1567 Exfiltration Over Web Service T1497 Virtualization/Sandbox Evasion T1570 Lateral Tool Transfer T1497.001 System Checks T1528 Steal Application Access Token T1657 Financial Theft T1583 Acquire Infrastructure T1588 Obtain Capabilities T1565 Data Manipulation T1105 Ingress Tool Transfer T1195.001 Compromise Software Dependencies and Development Tools T1190 Exploit Public-Facing Application T1566 Phishing T1027.014 Polymorphic Code

Reporting

Research mentioning Vect

Jul 9
Alphahunt

[FORECAST] TeamPCP shows why package cleanup is not containment

Sophos reports that Vect and TeamPCP announced an operational partnership in late March 2026, combining TeamPCP’s credential harvesting and data theft with Vect’s ransomware deployment infrastructure. Sophos also reports at least one verified Vect ransomware deployment using TeamPCP-sourced credentials.

Jul 7
Cyber Security News

VECT and TeamPCP Reverse Ransomware Kill Chain With Supply Chain Credential Theft

A ransomware strain called VECT has formed an unusual supply chain partnership with a threat group known as TeamPCP, quietly exposing thousands of organizations to compromise before any ransom note appears.

Jul 3
Itpro

Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaign | IT Pro

The Vect ransomware as a service (RaaS) operation first appeared at the end of 2025... Sophos said Team PCP has demonstrated the ability to repeatedly compromise trusted open source tooling, with at least one verified Vect ransomware deployment using TeamPCP-sourced credentials.

Jul 2
Scworld

‘Interpol’ emails spread custom ransomware with decryption key left inside | news | SC Media

In April, Check Point Research discovered that the VECT ransomware-as-a-service (RaaS) group’s latest ransomware version destroyed files larger than 128 KB due to a faulty encryption process, leaving them unrecoverable.

Jul 2
Sophos

Vect and TeamPCP partner for ransomware campaigns | SOPHOS

The Vect ransomware-as-a-service (RaaS) operation first appeared on December 31, 2025... The formal partnership between TeamPCP and Vect allows Vect to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply chain attacks.

Jun 30
Alpha Cyber

Bugs & Betrayal: VECT Ransomware by Design, Wiper by Accident - Alpha Cyber

Analysis of the VECT ransomware family suggests implementation flaws can undermine the operator’s own monetization objectives. Rather than reliably encrypting data for recovery after payment, coding defects may irreversibly destroy victim files, effectively turning ransomware into destructive wiper malware.

Jun 10
Flareio

TeamPCP and Cyber Supply Chain Attacks - Flare | Identity First Threat Intelligence | Unmatched Visibility into Cybercrime

The group aligned with the Vect ransomware operation... According to Check Point Research, VECT 2.0 permanently destroys any file larger than 128 KB because of a nonce-overwriting bug, making it a wiper rather than recoverable ransomware.

Jun 5
Malware News

Dark Web Profile: Vect Ransomware - Malware News - Malware Analysis, News and Indicators

Vect is a financially motivated, double extortion ransomware-as-a-service operation that surfaced on a Russian-language cybercrime forum on December 31, 2025 under the handle “vect.”

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.