The takeaway: Ransomware trojans are traditionally designed to "kidnap" enterprise data and demand a cryptocurrency-based ransom in exchange for its release. However, a recently discovered threat is so poorly implemented that victims are unlikely to recover any of their data, even if the ransom is paid in full.
Check Point researchers have uncovered a new ransomware-as-a-service threat with significant design flaws. Vect 2.0 is unable to properly perform its intended function, because it effectively destroys most files rather than encrypting them. The malware behaves more like a wiper, due to what appears to be a fundamental failure in its encryption implementation.
Vect 2.0 contains a critical flaw in its encryption routine, the Israeli researchers explained. The malware splits every file larger than 128KB into four independent data chunks, using a randomly generated 12-byte nonce to encrypt each chunk. However, the first three nonces are discarded, and only the fourth is appended to the encrypted file written to disk.
The result of this flawed design is that all files larger than 128KB are effectively overwritten with small amounts of unusable random data. This wiper-like behavior can silently destroy documents, spreadsheets, virtual machine disk images, databases, archives, and other data critical to an organization's ability to operate.
Vect 2.0 supports three platforms: Windows, Linux, and ESXi virtualization environments. The encryption design flaw is present across all three versions, indicating a shared codebase. The ransomware also contains additional programming issues and bugs, including progressively degraded performance in its encryption routine.
Earlier this year, the Vect team announced a partnership with TeamPCP, a group known for involvement in several high-profile supply-chain attacks in recent weeks. The partnership was intended to expand the pool of potential paying customers, but affiliates in the program were not warned about the design flaw affecting the malware.
Check Point notes that Vect 2.0 is effectively a partially incomplete implementation of a complex RaaS framework. The threat's effectiveness as ransomware appears to fall short of its claims, although that could change in future iterations. The encryption flaw may be addressed in later versions, and the actors have already announced a new "Cloud Lockers" operation targeting cloud storage services through selected RaaS partners.