Vect

Vect is a financially motivated double-extortion ransomware-as-a-service (RaaS) operation that surfaced on a Russian-language cybercrime forum on December 31, 2025 under the handle "vect" and began claiming victims in early January 2026. Reporting in the provided content indicates a Russian-speaking operational base, based on Russian-language postings, qTox communications, Monero-only affiliate fees, and a fee waiver for CIS-based affiliates. Vect is also referred to as Vect 2.0 following an announced rename/update in early 2026. Vect operates an affiliate model with broad recruitment and unusually low barriers to entry. The group advertised a custom C++ ransomware family and offered affiliates a builder and panel supporting Windows, Linux, and VMware ESXi payloads, victim management, negotiation/chat functions, ticketing, team management, and tiered revenue sharing starting at 80% and rising to 89%. Multiple reports in the content state that Vect partnered with BreachForums and distributed affiliate keys widely to forum users, which researchers described as unprecedented in ransomware partnership history. The group has publicly partnered with TeamPCP. Content states that TeamPCP announced an operational partnership with Vect on March 25, 2026, and that Vect subsequently handled encryption and extortion tied to TeamPCP-derived access from supply chain compromises involving Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK. Vect began publishing victim data obtained from the March 2026 TeamPCP Trivy compromise, and reporting describes this as an escalation from credential theft and espionage into active double-extortion ransomware operations affecting more than 1,000 enterprise SaaS environments. The content also notes claimed compromises or victim postings tied to TeamPCP-derived access, including unverified claims involving Guesty, S&P Global, Sportradar AG, and Booking.com-related activity. Technically, Vect supports Windows, Linux, and ESXi and is described as using statically compiled C++ binaries linked with libsodium. Reported capabilities include disabling Microsoft Defender real-time monitoring, terminating security, backup, database, and productivity processes, deleting Volume Shadow Copies, forcing Safe Mode persistence, enumerating network shares and domain trust relationships, storing supplied credentials with cmdkey, and lateral movement via remotely registered scheduled tasks over CIM, SMB admin shares, WMI, DCOM via MMC20.Application, sc.exe service installation, PowerShell remoting over WinRM, SSH, and abuse of supplied RDP/VPN credentials. Linux and ESXi variants reportedly implement CIS geofencing. The content also highlights a critical implementation flaw in Vect's ChaCha20-based encryption routine across Windows, Linux, and ESXi variants: files larger than 128 KB become mathematically unrecoverable because required nonces are not preserved. Researchers therefore assessed many Vect incidents as operationally closer to destructive wiper events than recoverable ransomware, even if a ransom is paid. The content further notes that Vect currently lacks a dedicated built-in exfiltration module in its builder, although affiliates may use third-party tools or data already stolen by TeamPCP. Several reports in the content note technical and operational overlaps with Devman, including "DEVMAN 3.0" strings in builder samples, near-identical ransom notes, and a matching "DM" prefix used in lateral movement task names. The content says this suggests possible operator continuity, rebranding, or a false flag, but does not establish this conclusively. Known alias in the provided content: Vect, Vect 2.0.