Vect is a sophisticated organized crime group operating a Ransomware-as-a-Service (RaaS) platform. First observed in December 2025, the group has rapidly professionalized its operations, targeting the Manufacturing, Education, and Engineering sectors. Vect employs a double-extortion tactic, exfiltrating sensitive data prior to encryption to coerce victims into payment.
The group is distinguished by its use of a custom-built C++ encryptor that leverages the ChaCha20-Poly1305 algorithm. Benchmarks indicate this encryption scheme is approximately 2.5x faster than AES-256-GCM on systems lacking hardware acceleration (e.g., legacy servers, ESXi hosts).
Recent confirmed activity includes a significant breach of the Federal University of Sergipe (Brazil) in January 2026, an attack on an Engineering Services firm in South Africa, and a newly reported incident involving a South Korean University.
Technical Analysis
Malware Architecture
- Language: C++ (Custom build, no code overlap with known families like LockBit or Conti).
- Encryption Scheme: Uses ChaCha20-Poly1305 (Authenticated Encryption with Associated Data).
- Strategic Advantage: High throughput on non-AES-NI CPUs and effective integrity checking to prevent data corruption during the rapid encryption process.
- Cross-Platform Targeting:
- Windows: Standard executable (
.exe) utilizing multi-threading. - Linux/ESXi: ELF binaries designed to target virtual machine disk images (
.vmdk,.vmx) directly.
- Windows: Standard executable (
Operational Capabilities
- Pre-Encryption Preparation:
- Process Termination: Aggressively terminates processes related to security software (AV/EDR), backup solutions (Veeam, BackupExec, Acronis), and database services (SQL, Oracle) to ensure open file handles.
- Safe Mode Execution: The ransomware modifies the Boot Configuration Data (BCD) to force a reboot into Safe Mode with Networking. This bypasses many endpoint protection agents that do not load drivers in Safe Mode.
- Command Observed:
bcdedit /set {default} safeboot network
- Command Observed:
- Lateral Movement:
- Relies heavily on “Living off the Land” (LotL) techniques, utilizing legitimate administrative protocols like SMB (Server Message Block) and WinRM (Windows Remote Management) to propagate across the network.
- Exfiltration:
- Data is staged and exfiltrated prior to encryption. The group likely uses Rclone or proprietary exfiltration tools renamed to masquerade as system processes.
Incident Highlights & Victimology
- Federal University of Sergipe (Brazil):
- Date: January 8, 2026
- Impact: 150GB of PII (Student Personal Information) and financial records exfiltrated.
- Significance: High-volume PII theft from the education sector.
- Engineering Services Firm (South Africa):
- Date: January 5, 2026
- Significance: Confirms expansion into the EMEA region and industrial sectors.
- South Korean University:
- Date: Early January 2026 (Reported by ASEC)
- Significance: Indicates a global, non-geographically bound targeting strategy.
MITRE ATT&CK Mapping (TTPs)
| Tactic | ID | Technique | Description |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of vulnerabilities in VPNs or supply chain tools (e.g., n8n CVE-2026-21858 suspected). |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | Used for reconnaissance and stopping services. |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | Terminates EDR/AV processes; deletes Volume Shadow Copies (vssadmin). |
| Defense Evasion | T1562.009 | Impair Defenses: Safe Mode Boot | bcdedit /set {default} safeboot network |
| Discovery | T1083 | File and Directory Discovery | Scans for sensitive file extensions (.doc, .xls, .pdf, .sql). |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | Propagates malware to adjacent systems via administrative shares (C$, ADMIN$). |
| Impact | T1486 | Data Encrypted for Impact | Encrypts files using ChaCha20-Poly1305. |
| Impact | T1490 | Inhibit System Recovery | Deletes shadow copies (vssadmin delete shadows /all /quiet) and backup catalogs (wbadmin delete catalog -quiet). |
Indicators of Compromise (IOCs)
Note: Hash values are representative of current campaigns and may rotate frequently.
Infrastructure
- Leak Site (TOR):
bu7zr6fotni3qxxoxlcmpikwtp5mjzy7jkxt7akflnm2kwkbdtgtjuid.onion- Title: “VECT RANSOMWARE // DATA ARCHIVE”
- Victim Chat Portal (TOR):
bu7zr6fotni3qxxoxlcmpikwtp5mjzy7jkxt7akflnm2kwkbdtgtjuid.onion/chat - C2 / Hosting IP:
158.94.210.11(Port 8000 observed).
File Artifacts
- Ransom Note Filename:
VECT_RECOVERY_GUIDE.txtorREADME_VECT.html - Encrypted File Extension:
.vect(appended to the original filename). - Malware Filenames:
svc_host_update.exeenc_esxi.elf(Linux/ESXi payload)
Ransom Note Pattern
The ransom note typically follows this structure:
“YOUR DATA HAS BEEN ENCRYPTED BY VECT. DO NOT MODIFY FILES. DO NOT RESTART. TO RECOVER YOUR DATA, ACCESS OUR CHAT PORTAL: bu7zr6fotni3qxxoxlcmpikwtp5mjzy7jkxt7akflnm2kwkbdtgtjuid.onion/chat USE THIS ID TO LOGIN: [UUID-FORMAT-CHAT-ID]“
Detection & Mitigation Strategies
Detection Opportunities
- Safe Mode Boot Activity: Alert on any execution of
bcdeditwith thesafebootflag. This is a high-fidelity indicator of ransomware activity. - Process Termination: Monitor for high-volume process termination events (Event ID 4688) targeting
sqlservr.exe,veeam.exe,oracle.exe, orbeserver.exe. - Network Traffic: Detect outbound connections to
158.94.210.11or abnormal SMB traffic patterns initiating from non-administrative workstations.
Mitigation Recommendations
- Immutable Backups: Ensure backups are stored offline or in an immutable state (WORM) to prevent encryption by the ransomware.
- Patch ESXi: Apply the latest security patches to VMware ESXi hosts and disable the SLP service if not in use.
- Disable Administrative Shares: Restrict the use of administrative shares (C$, ADMIN$) to prevent lateral movement.
- MFA Enforcement: Enforce Multi-Factor Authentication on all remote access points (VPN, RDP) and administrative accounts.