VECT: Ransomware by design, Wiper by accident

Title: VECT: Ransomware by design, Wiper by accident

URL Source: https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/

Published Time: 2026-04-28T13:03:01+00:00

Markdown Content: # VECT: Ransomware by design, Wiper by accident - Check Point Research

* [CONTACT US](https://research.checkpoint.com/contact/) * [DISCLOSURE POLICY](https://research.checkpoint.com/disclosure-policy/) * [CHECKPOINT.COM](https://www.checkpoint.com/) * [UNDER ATTACK?](https://www.checkpoint.com/about-us/contact-incident-response/)

* [Latest Publications](https://research.checkpoint.com/latest-publications/) * [CPR Podcast Channel](https://research.checkpoint.com/cpr-podcast-channel/) * [AI Research](https://research.checkpoint.com/ai-research/) * [Web 3.0 Security](https://research.checkpoint.com/category/web3/) * [Intelligence Reports](https://research.checkpoint.com/intelligence-reports/) * [Resources](https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/) * [ThreatCloud AI](https://www.checkpoint.com/ai/) * [Threat Intelligence & Research](https://www.checkpoint.com/solutions/threat-intelligence-research/) * [Zero Day Protection](https://www.checkpoint.com/infinity/zero-day-protection/) * [Sandblast File Analysis](http://threatemulation.checkpoint.com/)

* [About Us](https://research.checkpoint.com/about-us/) * [SUBSCRIBE](https://research.checkpoint.com/subscription/)

SUBSCRIBE

## CATEGORIES

* [- [x] AI Research 2](https://research.checkpoint.com/category/ai-research/) * [- [x] Android Malware 23](https://research.checkpoint.com/category/android-malware/) * [- [x] Artificial Intelligence 4](https://research.checkpoint.com/category/artificial-intelligence-2/) * [- [x] ChatGPT 3](https://research.checkpoint.com/category/chatgpt/) * [- [x] Check Point Research Publications 453](https://research.checkpoint.com/category/threat-research/) * [- [x] Cloud Security 1](https://research.checkpoint.com/category/cloud-security/) * [- [x] CPRadio 44](https://research.checkpoint.com/category/cpradio/) * [- [x] Crypto 2](https://research.checkpoint.com/category/crypto/) * [- [x] Data & Threat Intelligence 1](https://research.checkpoint.com/category/data-threat-intelligence/) * [- [x] Data Analysis 0](https://research.checkpoint.com/category/data-analysis/) * [- [x] Demos 22](https://research.checkpoint.com/category/demos/) * [- [x] Global Cyber Attack Reports 405](https://research.checkpoint.com/category/threat-intelligence-reports/) * [- [x] How To Guides 13](https://research.checkpoint.com/category/how-to-guides/) * [- [x] Ransomware 3](https://research.checkpoint.com/category/ransomware/) * [- [x] Russo-Ukrainian War 1](https://research.checkpoint.com/category/russo-ukrainian-war/) * [- [x] Security Report 1](https://research.checkpoint.com/category/security-report/) * [- [x] Threat and data analysis 0](https://research.checkpoint.com/category/threat-and-data-analysis/) * […]

[… 51,375 Zeichen — nächste Zone: keyword-dense paragraphs …]

* [Tools](https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/#) * [Sandblast file analysis](http://threatemulation.checkpoint.com/) * [ThreatCloud](https://www.checkpoint.com/infinity/threatcloud/) * [Threat Intelligence](https://www.checkpoint.com/solutions/threat-intelligence-research/) * [Zero day protection](https://www.checkpoint.com/infinity/zero-day-protection/) * [Live threat map](https://threatmap.checkpoint.com/)

**VECT Ransomware** is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. After claiming their first two victims in January 2026, the group got back into the public eye due to an announcement of a partnership with **TeamPCP**, the actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as **Trivy**, **Checkmarx’ KICS**, **LiteLLM** and **Telnyx**, affecting a large base of downstream consumers. Shortly after these attacks made headlines, VECT made a post on **BreachForums**, announcing their partnership with **TeamPCP**, with the goal to exploit the companies affected by those supply chain attacks.

The Windows variant targets local, removable, and network-accessible storage, renames encrypted files with the `.vect` extension, drops a ransom note and a branded desktop wallpaper, and executes defense-evasion, persistence, and lateral-movement routines. Of particular note is a comprehensive **anti-analysis suite targeting 44** specific security and debugging tools, alongside a safe-mode persistence mechanism and multiple remote-execution methods for lateral spread.

The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at `/vmfs/volumes`. The malware also supports SSH-based lateral movement, where the ransomware tries to use available credentials to connect to known SSH hosts.

* [Publications](https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/#) * [Global cyber attack reports](https://research.checkpoint.com/category/threat-intelligence-reports/) * [Research […]

* **Check Point Research discovers that the […]

[… 50,560 Zeichen — nächste Zone: tail …]

#### Functional Cookies

- [x] Functional Cookies

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

#### Targeting Cookies

- [x] Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

### Performance Cookies

Clear

- [x] checkbox label label

Apply Cancel

Consent Leg.Interest

- [x] checkbox label label

- [x] checkbox label label

- [x] checkbox label label

Reject All Confirm My Choices