Ransomware accidentally destroys all files larger than 128KB, preventing decryption — VECT code likely partly vibe coded with AI or used an old code base, security researchers suggest

VECT, a ransomware-as-a-service (RaaS) that first started circulating online in December 2025, was discovered to host a major bug in its programming. According to Check Point Research (CPR), the ransomware accidentally turned into a wiper after the program unintentionally discarded some nonces needed to decrypt files larger than 128KB. This means that even if a victim were to pay the attackers to unlock their data, no one can undo the damage because the code needed to break the encryption no longer exists. Numerous other problems plague the code, and CPR thinks the code was likely vibe coded using AI.

The ransomware would automatically break apart any file greater than 128KB into four different chunks and then encrypt each one with a random 12-byte nonce written on a single shared output buffer. Unfortunately for the victim, the four nonces share the same buffer address, meaning each new nonce overwrites the older one. So, once the process is complete, only the latest nonce (or the last of the four chunks) is preserved and appended to the file. That means even if the attacker provides the victim with the key to decrypt their data, the fact that only the last nonce of each file greater than 128KB is still attached means that the key will not work.

This isn’t the only flaw that the researchers uncovered with the ransomware — they also saw issues with how the program uses CPU threads, string obfuscation routines that cancel each other out, and misidentified ciphers on its own public reports. VECT operators can pick between three fast, medium, and secure encryption methods, and while the choice is parsed into code, it is never implemented. Another uncommon characteristic of the malware is that it includes Ukraine as a Commonwealth of Independent States (CIS) member, which most have removed from their lists after Russia invaded Ukraine in 2022.

Article continues below

The malware is being presented as a sophisticated tool, with the group behind it appearing as sophisticated hackers. After all, it has multi-platform capabilities capable of attacking Windows, Linux, and even ESXi virtual machines, has partnered with other threat actors like TeamPCP, and has even built its own affiliate network through BreachForums. But because of the major issues affecting VECT, CPR theorized that the organization behind it either used AI tools to generate some of its code or that it relied on an older code base as the starting point for its ransomware.

This isn’t the first time that a major ransomware group has made a mistake in its programming. Just earlier this year, Nitrogen ransomware made a mistake that overwrote part of the encryption public keys with zeros. This meant that even if one possesses the private key, the mangled public keys meant that no one could undo the encryption. Reporting suggests that this was probably caused by a common off-by-one issue related to a developer’s fat-finger mistake.

Still, this does not mean that the community at large should ignore threats like these, even though they seemed to have backfired on their creators. The researchers pointed out that the people behind it have ambition and know what an effective ransomware should look like. It could work on updating VECT to fix the issues that CPR revealed in its report and release a more effective version in the future. More importantly, it already has an existing distribution system, making it easier for the group to infect more systems without starting from scratch.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.