Vect 2.0 Ransomware Wiper Flaw Exposes TeamPCP Supply Chain Risks

A newly identified ransomware strain named Vect 2.0 has been observed executing wiper‑style attacks against organizations compromised through the TeamPCP software supply chain. The malware, first documented by threat‑intelligence firm SentinelLabs on 12 January 2026, is delivered as a forged update to TeamPCP’s remote‑management module, allowing it to silently infiltrate Windows and Linux endpoints.

Technical analysis reveals that Vect 2.0 implements the AES‑256 cipher in CBC mode, but a critical programming error causes the initialization vector (IV) to be derived from the file name rather than random entropy. As a result, the same keystream is reused across multiple files, effectively overwriting plaintext with a deterministic pattern instead of preserving the original data. The malicious payload also lacks a proper key‑exchange routine; the "decryptor" simply attempts to re‑encrypt the corrupted sectors with the same flawed keystream, rendering recovery impossible without pristine backups.

Incident responders have catalogued several hundred affected hosts across manufacturing, healthcare, and finance sectors in the United States and Europe. In each case, the ransomware appended the extension ".vect2" to encrypted files and created a ransom note titled "HOW_TO_RESTORE.txt". Security researchers note that the note contains a Bitcoin address that has never been seen on public blockchain explorers, indicating that the operators have not historically cashed out. This fact, combined with the deterministic wiping behavior, strongly advises against paying the demanded ransoms, as there is no guarantee that a functional decryption key will be delivered.

Organizations should audit their TeamPCP update mechanisms, implement code‑signing verification, and monitor for the identified IOCs: file hash (SHA‑256) 7f3a8c91d2e4b5..., mutex "Global\VectWipe", and registry key "HKLM\SOFTWARE\Vect2". Deploy endpoint detection and response (EDR) rules that flag the creation of ".vect2" files and abnormal patterns of AES operations. In the event of infection, isolate compromised systems, restore from offline backups, and consult the MITRE ATT&CK matrix for T1486 (Data Encrypted for Impact) to refine detection logic.