Buggy Vect ransomware is effectively a data wiper, researchers find

Due to a bug in the ransomware, affiliates of the Vect Ransomware-as-a-Service operation are irretrievably encrypting victims’ data.

“Victims who pay the ransom cannot receive a functional decryptor for their most critical files – not because the operator is uncooperative, but because the nonces required for decryption no longer exist,” Check Point researchers warned.

Vect’s open-door affiliate policy let researchers in

After Vect announced that it will be partnering with BreachForums and providing an “affiliate key” to every registered user of the forum, Check Point researchers opened a BreachForums account and got access to Vect’s panel and ransomware builder.

This allowed them to create Windows, Linux and ESXi variants of the Vect 2.0 ransomware and analyze them.

The desktop wallpaper used by the Vect 2.0 Windows locker version (Source: Check Point)

“All three variants are statically compiled C++ executables embedding the libsodium cryptographic library, accept operator-supplied command-line flags, support lateral movement, and produce an identical on-disk encrypted file format,” they found.

However, they also discovered a flaw that results in the malware irreversibly encrypting any file larger than 128 KB.

For files exceeding that size, the Vect ransomware divides the file into four chunks and the encryption loop processes each chunk in sequence.

But a coding error causes each iteration to overwrite the same memory buffer with a newly generated nonce, meaning only the nonce from the final chunk is ever saved to the file. The three preceding nonces are cryptographically random and never stored elsewhere, and are thus permanently lost.

“Full recovery is impossible for anyone, including the attacker. At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included,” the researchers pointed out.

Vect victims have many reasons not to pay

The nonce-handling bug is present in all platform variants of the Vect 2.0 ransomware, and in a previous version found in the wild before that newest variant was released.

The researchers also found that:

• The ransomware uses raw ChaCha20-IETF with no authentication layer for encryption
• The advertised encryption speed modes (fast, medium, and secure) are parsed by the malware but then silently ignored
• The ransomware is riddled with additional failures, including self-cancelling obfuscation routines, permanently unreachable anti-analysis code, and a thread scheduler that degrades the encryption process it was designed to improve.

“Together these findings paint a picture of a group with operational ambition, reflected in the BreachForums open-affiliate model and the TeamPCP supply-chain campaign, but with cryptographic and software engineering maturity that does not match the scale of the operation they are attempting to run,” they concluded.

And though Vect RaaS uses a double-extortion approach – exfiltrating data before encryption and threatening publication on a leak site if victims refuse to pay – Check Point researchers pointed out that affiliates are currently unable to build a dedicated tool for data exfiltration via the builder panel.

This, of course, does not prevent them from using a separate one, but some affiliates might skip that part and launch just the ransomware. Combined with the encryption flaw, this means that victim organizations have even less incentive to pay the ransom.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!