Dark Web Profile: Vect Ransomware

Most new ransomware operations spend their first months in the shadows, courting affiliates one at a time on closed forums. Vect did the opposite. Within four months of its December 31, 2025 debut on a Russian-language cybercrime forum, the group had published its first 25 victims across five continents, formalized a partnership with the BreachForums that opened affiliate access to the forum’s entire user base, and tied its extortion pipeline to TeamPCP, the actor behind the March 2026 Trivy, Checkmarx KICS, LiteLLM, and Telnyx supply chain attacks.

Who Is Vect Ransomware?

Vect is a financially motivated, double extortion ransomware-as-a-service operation that surfaced on a Russian-language cybercrime forum on December 31, 2025 under the handle “vect.” The opening post advertised a partnership program for a new ransomware family written entirely in C++, with the operator claiming no reused source code from Conti, LockBit, or any other leaked builder.

Within a week, the first victim was published on a Tor leak site. By February 14, 2026, the group had released Vect 2.0 with expanded Linux and VMware ESXi support. The Russian-language posting, the qTox-based affiliate communication, the Monero-only entry fee, and the affiliate fee waiver for applicants from CIS countries (Russia, Belarus, Ukraine, Kazakhstan, and ten other former Soviet states) all point to a Russian-speaking operational base.

Vect operates a structured affiliate program with one of the lowest barriers to entry observed in the ransomware ecosystem. Applicants pay a $250 Monero invite fee, waived for CIS-region affiliates, in exchange for access to a panel that includes a payload builder for Windows, Linux, and ESXi, a victim folder system, a global chat, a ticketing system, a team management feature for sub-affiliate groups, and a five-tier earnings tracker that starts at an 80 percent revenue share and climbs to 89 percent past $75 million in extorted funds. Affiliates negotiate with victims through a built-in chat interface, and the panel supports both Bitcoin and Monero withdrawals with a $1,000 minimum.

The group’s most consequential move came on April 16 to 18, 2026, when a BreachForums administrator using the handle “diencracked” began automatically distributing personal Vect affiliation keys to every registered member of the forum by private message. The Have I Been Pwned import of the January 9, 2026 BreachForums database breach pegged the registered user count at 323,986 accounts. Researchers describe this mass enrollment as without precedent in the documented history of ransomware partnerships. There is no proof of skill, no reputation check, and no prior ransomware experience required to receive a Vect builder.

What Connects Vect Ransomware to Other Threat Actors?

Three connections shape current Vect reporting. The strongest is to Devman, with builder samples carrying “DEVMAN 3.0” strings in the –verbose banner, lateral movement tasks using a matching “DM” prefix, near-identical ransom notes, and Devman’s February 2026 dormancy coinciding with Vect’s debut. Since Devman descends from DragonForce, LockBit, and Conti, the link could indicate operator continuity, a rebrand, or a false flag.

The TeamPCP partnership announced on March 25, 2026 feeds Vect with credentials harvested from the Trivy, KICS, LiteLLM, and Telnyx supply chain compromises. The BreachForums alignment is the most consequential, with automatic affiliate-key distribution from April 16, 2026 turning the marketplace’s full user base into a Vect recruitment pool. No law enforcement action has been reported as of May 2026.

What Are the Vect Ransomware Targets?

Vect ransomware has conducted 25 attacks across multiple geographies and sectors. The United States and Brazil lead as the most targeted countries, each accounting for 21.7% of victims, followed by India (17.4%) and South Africa (8.7%). The remaining victims are distributed across Spain, Israel, Egypt, Italy, each representing 4.3%.

From an industry perspective, Technology is the most impacted sector at 20%, while Financial Services, Healthcare, and Manufacturing each account for 16% of victims. Business Services follows at 12%, with Energy, Consumer Services, Education, and Agriculture & Food Production each representing 4%.

How Does Vect Ransomware Operate?

A Vect intrusion in 2026 typically begins one supply chain hop upstream, with credentials harvested through the TeamPCP campaign, and ends with an encryption routine that operates as a wiper. The phases below describe the path observed in current reporting.

Initial Access Through the TeamPCP Supply Chain: Between March 19 and March 24, 2026, TeamPCP compromised the Trivy GitHub Actions workflow, the Checkmarx KICS package, the LiteLLM PyPI distribution (versions 1.82.7 and 1.82.8), and the Telnyx Python SDK. A credential-harvesting payload fired during CI/CD execution in downstream organizations, extracting CI secrets, GitHub Personal Access Tokens, PyPI publishing tokens, cloud credentials, SSH keys, and Kubernetes service account tokens. Researchers estimate roughly 300 GB of data was exfiltrated across more than 1,000 enterprise SaaS environments. Vect announced its TeamPCP partnership on March 25, 2026, and the first listings attributed to this access source appeared on April 15 with the unverified Guesty and S&P Global claims.

Vect operators retain alternative initial access paths, including compromised Fortinet credentials solicited on a Russian-language forum in January 2026, plus base64-encoded credentials supplied at build time or via the –creds parameter for RDP and VPN abuse.

Execution and Foothold Establishment: The locker ships as three statically compiled C++ binaries linked against libsodium: a PE64 for Windows built with MinGW-w64, and ELF64 builds for Linux and VMware ESXi compiled with GCC. Execution is initiated through PowerShell, the Windows command shell, or a service installed remotely with sc.exe. Command line flags include –stealth (self-delete), –mount (additional volumes), –gpo (the misnamed lateral movement function), –force-safemode, and –creds. A double XOR routine intended to keep these flags encrypted at rest accidentally cancels itself out, leaving them as plaintext strings inside the binary.

Defense Evasion and Pre-Encryption Tampering: Before encryption, a PowerShell command (XOR-decoded at runtime) disables Microsoft Defender real-time monitoring. The locker then terminates a hardcoded list of security agents (CrowdStrike Falcon, SentinelOne, Cylance, Symantec, Bitdefender, Kaspersky, Carbon Black), backup engines (Veeam, Acronis, BackupExec), database services (MariaDB, MySQL, PostgreSQL, MongoDB, Redis), and productivity applications. Volume Shadow Copies are removed with vssadmin delete shadows /all /quiet after a 30-second wait, Task Manager is disabled, and if –force-safemode is set the locker writes SafeBoot Minimal and Network registry entries plus a Run key so the host reboots into safe mode with most endpoint protection inactive. The Linux and ESXi variants implement CIS geofencing by reading LANG, LC_ALL, and /etc/timezone.

Vect’s anti-analysis routines are compiled into the binary but never invoked at runtime. A 44-entry process scan, a TracerPid check, and an NtQueryInformationProcess query are all present yet none is ever called, consistent with a conditional compile flag left disabled.

Credential Access and Discovery: The locker stores affiliate-supplied credentials on each target host using cmdkey, which writes them into the Windows Credential Manager. It enumerates accessible network shares with WNetOpenEnum and NetShareEnum, walks file systems with standard Win32 APIs, and probes domain trust relationships.

Lateral Movement Through Misnamed “GPO Spread”: The function labeled “GPO spread” performs no Group Policy operations. It registers Scheduled Tasks remotely over CIM sessions, each named with a hardcoded “DM” prefix followed by four random uppercase letters. The DM prefix matches the Devman ransomware naming convention and is one of the strongest indicators of a possible code or operator link. Each task runs under SYSTEM at the highest privilege level. The task and CIM session are removed within 500 milliseconds to limit forensic artifacts. Beyond scheduled tasks, the locker uses SMB admin-share copy, WMI execution, DCOM instantiation via MMC20.Application, sc.exe service installation, and PowerShell remoting over WinRM. SSH-based propagation is supported on Linux and ESXi.

Collection and Exfiltration: Current Vect builds do not ship a dedicated exfiltration module; the affiliate panel lists an “exfiltration-only build” as “coming soon.” Exfiltration is performed either out of band by the affiliate using third-party tools such as Rclone, MEGA, or WinSCP, or with data already harvested upstream by TeamPCP during the original CI/CD compromise. The 700 GB and four million emails claimed in the Guesty listing, if accurate, would be consistent with upstream harvest rather than locker-side exfiltration.

ESXi Virtual Machine Preparation On VMware ESXi targets, the locker enumerates running virtual machines on ESXi, VirtualBox, and KVM/libvirt and powers them down with vmware-cmd, esxcli vm process kill, VBoxManage controlvm poweroff, and virsh destroy. Powering down guests releases file locks on VMDK, VMX, and NVRAM files, allowing in-place encryption and amplifying impact across all hosted workloads.

Impact, Where the Encryption Becomes a Wiper Files are renamed from <original> to <original>.vect via MoveFileExW before encryption. The cipher is raw ChaCha20-IETF as defined in RFC 8439, not the ChaCha20-Poly1305 authenticated encryption scheme that Vect’s own advertisement describes. There is no Poly1305 message authentication code and no integrity protection on encrypted files.

For files of 131,072 bytes (128 KB) or smaller, the locker performs single-pass encryption with a fresh 12-byte nonce appended to the file. For larger files, intermittent encryption divides the file into four 32 KB chunks at the 0, 25, 50, and 75 percent offsets, each encrypted with a freshly generated nonce. The fatal flaw is that all four encryption calls write into the same caller-supplied 12-byte buffer, so only the fourth nonce survives. The first three are output by libsodium’s randombytes() and never stored. Three quarters of every large file are mathematically unrecoverable, including by the operators themselves. The flaw is identical across Windows, Linux, and ESXi variants. In practical terms, paying the ransom cannot restore most enterprise data.

The combination of shadow copy deletion, security agent termination, safe-mode persistence, and broken intermittent encryption produces an outcome operationally indistinguishable from a wiper for any system holding meaningful business data.

How Can Organizations Defend Against Vect Ransomware?

Defenders should treat any Vect intrusion as a hybrid encryption-and-wiper event for recovery planning purposes. The broken ChaCha20 implementation means decryption is not a viable recovery path even after payment, and organizations that pay risk both financial loss and unrecoverable data.

Organizations with any exposure to the March 2026 TeamPCP supply chain campaign (including the Trivy GitHub Actions, Trivy v0.69.4, Checkmarx KICS, LiteLLM versions 1.82.7 or 1.82.8, the Telnyx Python SDK, or the CanisterWorm npm packages) should immediately rotate every CI/CD secret, GitHub Actions token, PyPI publish token, cloud key, SSH key, Kubernetes token, and TLS certificate that ran through the affected pipelines between February 28 and March 24, 2026. Defenders should also audit their GitHub organizations for unexpected repositories named “tpcp-docs,” which the TeamPCP tooling creates as a fallback secret staging location, and inspect Python site-packages directories for unexpected .pth files.

Short-term defensive priorities include the following controls:

• Block outbound Tor entry-node connectivity and onion-name resolution at the network perimeter, since Vect command and control runs exclusively over Tor.
• Add detection logic for the commands bcdedit /set safeboot, modifications to the SafeBoot Minimal or Network registry keys, vssadmin delete shadows /all /quiet, and Set-MpPreference -DisableRealtimeMonitoring $true.
• Alert on scheduled tasks or services created with a “DM” prefix followed by four random uppercase letters, and on file modification patterns showing four 32 KB writes at the 0, 25, 50, and 75 percent offsets of a file.
• Enforce phishing-resistant multi-factor authentication on VMware ESXi management interfaces, segment ESXi management networks, and require jump-host access.
• Configure endpoint detection and response tamper protection so that the SafeBoot persistence trick cannot disable the security agent on reboot.
• Pin every GitHub Action used in continuous integration to an immutable commit SHA rather than a mutable tag, and enable PyPI Trusted Publishers where supported.

Medium-term priorities include maintaining offline, immutable backups in write-once-read-many (WORM) configurations and rehearsing restoration on a regular cadence. Defenders should apply VMware ESXi security patches, disable the SLP service where it is not required, and deploy YARA detection logic for the strings “VECT”, “DEVMAN 3.0”, and “dvm3_wall.bmp” alongside the libsodium-plus-MinGW-w64 build artifacts characteristic of the Windows locker.

How Can SOCRadar Help?

SOCRadar continuously monitors ransomware leak sites, dark web forums, and Tor-based extortion infrastructure for new victim claims, affiliate recruitment posts, and infrastructure changes tied to Vect and other active RaaS operations. Through the Threat Actor Intelligence module, security teams can track the Vect threat profile, its evolving TTPs, named victims, and infrastructure indicators in a single view, with alerting on new postings that mention monitored assets, employees, or third parties.

SOCRadar’s Dark Web Monitoring capability detects leaked credentials, source code, and customer data tied to organizations and their suppliers, including the categories of artifacts most likely to surface following a TeamPCP-style supply chain compromise. The Attack Surface Management module helps defenders identify exposed VMware ESXi management interfaces, externally reachable Fortinet appliances, and other footholds that match Vect’s preferred initial access patterns, while the Supply Chain Intelligence module gives early visibility into compromises of upstream software vendors before extortion claims appear on leak sites.

For organizations responding to active Vect activity or assessing exposure, SOCRadar’s IOC feeds, YARA rules, and curated threat actor reports provide the indicators and context needed to detect, contain, and recover.

What Are Vect Ransomware’s MITRE ATT&CK Techniques?

The observed and reported Vect tradecraft maps to the following MITRE ATT&CK techniques: