What Happened
Check Point Research published a technical analysis on April 28, 2026, revealing that VECT 2.0 ransomware contains a critical flaw in its encryption logic that makes it function as a data wiper for any file exceeding 131,072 bytes (128 KB). The bug exists in how the ransomware handles ChaCha20 stream cipher nonces: it divides files into four chunks, generates a unique nonce for each chunk, uses the nonces to encrypt, and then discards the first three without saving them locally or sending them to the attackers’ infrastructure. Only the fourth nonce is retained. For files split across more than one encrypted chunk — which is every file over 128 KB with any meaningful content — decryption is mathematically impossible. Not impractical. Impossible.
The flaw is identical across all three platform variants: Windows, Linux, and ESXi. VECT uses raw ChaCha20-IETF rather than the authenticated ChaCha20-Poly1305 variant, and the entire encryption design is built on libsodium. The ransomware launched its affiliate program in December 2025 and announced a partnership with TeamPCP — the threat group behind a series of supply chain attacks beginning in March 2026 — in early 2026. Check Point attributes the flaw to a coding error rather than intentional design, per The Hacker News.
Why This Matters for Canadian Organizations
VECT 2.0 operates as a ransomware-as-a-service scheme, meaning affiliates deploy it independently and victims receive ransom demands under the VECT brand. Any Canadian organization hit by a VECT 2.0 infection faces a situation where paying the ransom provides no recovery — the data is gone regardless. This changes the incident response calculus significantly. Standard ransomware playbooks include a payment assessment phase, but with VECT 2.0, that phase is irrelevant for any server, database, virtual machine disk, document archive, or backup larger than 128 KB.
The connection to TeamPCP is notable for Canadian security teams. TeamPCP has been linked to supply chain attacks targeting CI/CD tooling including Trivy, Checkmarx KICS, and the OpenVSX extension marketplace in the months prior to this disclosure. Organizations with any TeamPCP exposure in their development environment — or any organization that deploys the Checkmarx or VS Code toolchain without verifying image integrity — should treat VECT 2.0 as a credible downstream risk. ESXi hypervisor targeting adds particular concern for Canadian enterprises running VMware-based infrastructure, where a single successful deployment destroys virtual machine disk images with no recovery path.
Canadian organizations are also subject to PIPEDA breach notification requirements when personal data is destroyed or rendered inaccessible. The Office of the Privacy Commissioner has previously held that destruction of personal data constitutes a breach requiring assessment and, where appropriate, notification. A VECT infection at scale eliminates both the data and the possibility of restoring it from the attacker — making breach containment and backup integrity the only viable response.
What to Do
Review backup integrity now: VECT 2.0 targets VM disks and database files. Confirm your offsite and air-gapped backups are current, tested, and not accessible from the systems VECT operators typically reach through supply chain or phishing initial access vectors. Patch and harden any ESXi hosts and Linux servers exposed to the internet. Review your CI/CD pipeline for any TeamPCP-linked indicators of compromise, particularly around recently modified Docker images, npm packages, or VS Code extensions. If VECT 2.0 is detected in your environment, do not restart or attempt decryption — involve your incident response team immediately and preserve forensic state before any remediation action.
