GoKawiilResearchers are warning that the VECT 2.0 ransomware has a problem in the way it handles encryption nonces that leads to permanently destroying larger files rather than encrypt them.
VECT has been advertised on one of the latest BreachForums iterations, inviting registered users to become affiliates, and distributing access keys via private messages to those who showed interest.
At some point, VECT operators announced a partnership with TeamPCP, the threat group responsible for the recent supply-chain attacks impacting Trivy, LiteLLM, and Telnyx, as well as an attack against the European Commission.
In the announcement, VECT operators stated that their goal was to exploit victims of those supply-chain compromises, deploying ransomware payloads in their environments, as well as to conduct larger supply-chain attacks against other organizations.
VECT operators' post on BreachForums
Source: Check Point
Faulty ransomware
While this is meant to increase encryption speed for larger files, because all chunk encryptions use the same memory buffer for the nonce output, each new nonce overwrites the previous one.
Once all chunks are processed, only the last nonce generated remains in memory, and only that one is written to disk.
As a result, the only portion of the file that is recoverable is the last 25%, with the previous three parts being impossible to decrypt, as the nonces have been lost.
... continue reading