Ransomware accidentally destroys all files larger than 128KB, preventing decryption — VECT code likely partly vibe coded with AI or used an old code base, secur

This might be the work of an amateur, but they might not stay an amateur for long.

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .

The ransomware would automatically break apart any file greater than 128KB into four different chunks and then encrypt each one with a random 12-byte nonce written on a single shared output buffer. Unfortunately for the victim, the four nonces share the same buffer address, meaning each new nonce overwrites the older one. So, once the process is complete, only the latest nonce (or the last of the four chunks) is preserved and appended to the file. That means even if the attacker provides the victim with the key to decrypt their data, the fact that only the last nonce of each file greater than 128KB is still attached means that the key will not work.

This isn’t the only flaw that the researchers uncovered with the ransomware — they also saw issues with how the program uses CPU threads, string obfuscation routines that cancel each other out, and misidentified ciphers on its own public reports. VECT operators can pick between three fast, medium, and secure encryption methods, and while the choice is parsed into code, it is never implemented. Another uncommon characteristic of the malware is that it includes Ukraine as a Commonwealth of Independent States (CIS) member, which most have removed from their lists after Russia invaded Ukraine in 2022.

You may like Bug in Nitrogen ransomware locks victims' data away forever Anthropic's Model Context Protocol includes a critical remote code execution vulnerability Invisible malicious code attacks 151 GitHub repos and VS Code The malware is being presented as a sophisticated tool, with the group behind it appearing as sophisticated hackers. After all, it has multi-platform capabilities capable of attacking Windows, Linux, and even ESXi virtual machines, has partnered with other threat actors like TeamPCP, and has even built its own affiliate network through BreachForums. But because of the major issues affecting VECT, CPR theorized that the organization behind it either used AI tools to generate some of its code or that it relied on an older code base as the starting point for its ransomware.

This isn’t the first time that a major ransomware group has made a mistake in its programming. Just earlier this year, Nitrogen ransomware made a mistake that overwrote part of the encryption public keys with zeros. This meant that even if one possesses the private key, the mangled public keys meant that no one could undo the encryption. Reporting suggests that this was probably caused by a common off-by-one issue related to a developer’s fat-finger mistake.

Still, this does not mean that the community at large should ignore threats like these, even though they seemed to have backfired on their creators. The researchers pointed out that the people behind it have ambition and know what an effective ransomware should look like. It could work on updating VECT to fix the issues that CPR revealed in its report and release a more effective version in the future. More importantly, it already has an existing distribution system, making it easier for the group to infect more systems without starting from scratch.

Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.

Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.

Key considerations

Investor positioning can change fast
Volatility remains possible near catalysts
Macro rates and liquidity can dominate flows

Reference reading

More on this site

Informational only. No financial advice. Do your own research.

Key considerations

Reference reading

More on this site

Related posts:

Leave a Comment Cancel reply