VECT 2.0 Ransomware Wipes Files Over 131KB on Windows, Linux, ESXi

The cyber‑crime group behind the VECT 2.0 ransomware has been observed deploying a strain that behaves more like a data‑wiper than conventional ransomware. In recent incidents targeting Windows, Linux and VMware ESXi environments, the malware irreparably corrupts any file larger than 131 KB, rendering recovery impossible even after a ransom is paid. The shift toward destructive behavior suggests the operators are willing to sacrifice revenue for rapid impact.

Security analysts tracing the malware’s code discovered a critical flaw in its symmetric‑encryption routine. Instead of safely encrypting the file content, the routine writes random data over the original bytes and then fails to store the decryption key, leaving victims with permanently damaged assets. The bug manifests uniformly across the three platforms, indicating a shared core component that was likely compiled for each operating system.

Organizations can mitigate the risk by treating VECT 2.0 as a high‑severity threat. Key indicators of compromise include a sudden spike in large‑file I/O, the presence of a named mutex “VectMutex” and an outbound connection to a known command‑and‑control IP. Deploying behavioral‑based endpoint detection, maintaining immutable offline backups, and segmenting critical systems will limit the wiper’s spread. Patching systems, especially those running ESXi, and employing application whitelisting further reduce exposure.

The emergence of VECT 2.0 underscores a broader trend in the ransomware ecosystem where threat actors embed destructive capabilities to pressure victims or simply cause maximum disruption. Security teams should treat this variant as a zero‑day wiper until a clean decryption method is publicly released, prioritizing prevention over recovery.