New ransomware wipes every file larger than 128 KB

A newly identified ransomware strain is accidentally destroying the very files it's supposed to hold for ransom. And for the victims who end up paying, they're getting nothing back.

Cybersecurity firm Check Point Research published findings Tuesday detailing the dangers of VECT 2.0, a Ransomware-as-a-Service operation that first emerged on a Russian-language cybercrime forum in 2025.

The ransomware contains a critical coding flaw that permanently destroys any file larger than 128 kilobytes rather than encrypting it. That threshold is smaller than a typical email attachment, meaning virtually every file that would matter to a victim — databases, backups, virtual machine disks, documents, spreadsheets — is being irreversibly wiped rather than locked.

In plain terms, when VECT scrambles a file, it needs to save a cryptographic nonce — a kind of secret code — that later allows it to unscramble the file.

For larger files, the malware generates four of these codes. But due to a programming error, it keeps overwriting each new code with the previous one in the same slot, like writing four different combinations on a single sticky note and keeping only the last one. By the time it's done, three of the four codes are gone forever. The scrambled data they correspond to is permanently unreadable for the victim, security researchers, and the attackers themselves.

Ransomware like this works by breaking into a computer system, scrambling all the files so they become unreadable, and then demanding payment in exchange for the key to unscramble them. In this instance, however, paying the ransom is pointless. The attackers literally cannot give you your files back, because they accidentally threw away the keys.

Check Point also found a string of other amateur mistakes baked into the malware, like advertised features that don't actually work, security evasion tools built in but never switched on, and an obfuscation technique that accidentally cancels itself out, making the code easier to read, not harder.

The concerning part is that, despite being technically incompetent, VECT has real reach. The group partnered with BreachForums — one of the internet's largest hacking communities — to grant every registered user on the platform free access to its ransomware toolkit.

Even though Checkpoint has established these attacks as novice work, that's a lot of potential attackers armed with a destructive, if broken, weapon.