New ransomware is so badly coded it destroys your files instead of holding them hostage

Alfonso Maruccia

Posts: 2,581   +969
Staff
The takeaway: Ransomware trojans are traditionally designed to "kidnap" enterprise data and demand a cryptocurrency-based ransom in exchange for its release. However, a recently discovered threat is so poorly implemented that victims are unlikely to recover any of their data, even if the ransom is paid in full.

Check Point researchers have uncovered a new ransomware-as-a-service threat with significant design flaws. Vect 2.0 is unable to properly perform its intended function, because it effectively destroys most files rather than encrypting them. The malware behaves more like a wiper, due to what appears to be a fundamental failure in its encryption implementation.

Vect 2.0 contains a critical flaw in its encryption routine, the Israeli researchers explained. The malware splits every file larger than 128KB into four independent data chunks, using a randomly generated 12-byte nonce to encrypt each chunk. However, the first three nonces are discarded, and only the fourth is appended to the encrypted file written to disk.

The result of this flawed design is that all files larger than 128KB are effectively overwritten with small amounts of unusable random data. This wiper-like behavior can silently destroy documents, spreadsheets, virtual machine disk images, databases, archives, and other data critical to an organization's ability to operate.

Vect 2.0 supports three platforms: Windows, Linux, and ESXi virtualization environments. The encryption design flaw is present across all three versions, indicating a shared codebase. The ransomware also contains additional programming issues and bugs, including progressively degraded performance in its encryption routine.

Earlier this year, the Vect team announced a partnership with TeamPCP, a group known for involvement in several high-profile supply-chain attacks in recent weeks. The partnership was intended to expand the pool of potential paying customers, but affiliates in the program were not warned about the design flaw affecting the malware.

Check Point notes that Vect 2.0 is effectively a partially incomplete implementation of a complex RaaS framework. The threat's effectiveness as ransomware appears to fall short of its claims, although that could change in future iterations. The encryption flaw may be addressed in later versions, and the actors have already announced a new "Cloud Lockers" operation targeting cloud storage services through selected RaaS partners.

Permalink to story:

 
I mean, if you already paid them, does it really matter to these people if you do get your data back in one piece or not?
 
The faulty ransomware was probably vibe-coded with the 'dangerous to release' Claude 🤣🤣🤣, thus confirming how dangerous it really is.
 
I mean, if you already paid them, does it really matter to these people if you do get your data back in one piece or not?
Believe it or not, yes to a degree.

Collectively, ransomware is able to continually extort money only if there is a reasonable expectation that the company/organization will actually get their data back and that it will be faster/easier to just pay than to rebuild from scratch.

Businesses and the security industry catches on pretty quickly to ransomware that cannot or will not deliver on promises and then the payments stop coming in. Even if the bad actor rebrands, the software they use often have similar enough signatures that those won't get paid either.

For individual people struck by ransomware the dynamic is different, as the panic of losing irreplaceable data such as personal photos and videos kind of overrides the cost-benefit analysis, but it still pays to fulfill the promise of restoration for similar reasons of "trust."
 
Pretty hard to do over here, when I have a back-up on my entire hard drive, every 12hrs on two different hard drives, and one of them NEVER connected. This isn't rocket science.
 
Believe it or not, yes to a degree.

Collectively, ransomware is able to continually extort money only if there is a reasonable expectation that the company/organization will actually get their data back and that it will be faster/easier to just pay than to rebuild from scratch.

Businesses and the security industry catches on pretty quickly to ransomware that cannot or will not deliver on promises and then the payments stop coming in. Even if the bad actor rebrands, the software they use often have similar enough signatures that those won't get paid either.

For individual people struck by ransomware the dynamic is different, as the panic of losing irreplaceable data such as personal photos and videos kind of overrides the cost-benefit analysis, but it still pays to fulfill the promise of restoration for similar reasons of "trust."
It's that "to a degree" that I'm speaking to.
If someone can quick and dirty code up a ransomware that works to extort (but not necessarily reverse the damage), then they can just jump to something new once it stops being effective.

Not every scammer is thinking about a long term play.
 
Back