The Vect Ransomware: A Definitive Forensic Recovery Guide
In our recovery lab today at Lockbit Decryptor, we analyzed the newly emerged Vect Ransomware-as-a-Service (RaaS) operation. This group claims to have developed a custom C++ codebase targeting Windows, Linux, and VMware ESXi. Our forensic analysis of their advertised capabilities reveals a heavy reliance on ChaCha20-Poly1305 AEAD encryption and Safe Mode execution to bypass security controls. While they claim operational maturity, their use of intermittent encryption suggests a focus on speed over data destruction.
Latest: Sicari Ransomware Cross-Platform Ransomware Recovery and Decryption
EMERGENCY TRIAGE (THE GOLDEN HOUR)
If you suspect a Vect infection, execute these 4 steps immediately to contain their cross-platform capabilities:
- Network Segmentation: Sever all SMB (TCP 445) and WinRM (TCP 5985/5986) connections. Vect utilizes these protocols for lateral movement and automated GPO propagation.
- Hypervisor Isolation: Suspend—do not power off—affected ESXi hosts. Vect specifically targets
.vmdkand.vhdfiles; preserving memory state is critical for capturing the ChaCha20 keys. - Safe Mode Intervention: Check for registry keys forcing reboots into Safe Mode. If the system reboots into Safe Mode without administrative action, isolate the machine physically from the network.
- Credential Flush: Assume Domain Admin credentials are compromised. Vect’s payload builder accepts these credentials directly to propagate via Group Policy Objects.
Also read: The Open Ransomware Decryption: Definitive Cross-Platform Recovery Guide
THREAT PROFILE & FORENSICS
Technical Specifications:
| Attribute | Details |
|---|---|
| Threat Name | Vect RaaS |
| Platform | Windows, Linux, VMware ESXi |
| Extension | Not specified (Claims custom encryption) |
| Ransom Note | Unknown (TOR-based communication) |
| Contact | TOR Hidden Service (bu7zr6fotni3qxxoxlcmpikwtp5mjzy7jkxt7akflnm2kwkbdtgtjuid[.]onion) |
| Encryption | ChaCha20-Poly1305 AEAD (Intermittent) |
File Extension Examples:
database.sql.vectreport.pdf.vectfinancial.xlsx.vectbackup.vmdk.vectvirtual.vhdx.vectmaster.mdf.vecttransaction.ldf.vect
Persistence Markers:
- Windows Registry: The malware forces Safe Mode execution via
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\andHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. - ESXi: Checks for modified
.vmxfiles and unauthorized access to VHD files via thevmdkdescriptor. - Linux: Utilizes
systemdorcronjobs to maintain persistence across Linux distributions.
Ransom Note Text:
Note: Vect currently operates via a TOR portal. Victims are directed to the onion site for negotiation and data leak status. No standard text file ransom note has been confirmed at this time.
MATHEMATICAL VULNERABILITY ANALYSIS
The Vect variant employs ChaCha20-Poly1305 AEAD, a stream cipher combined with an authenticated encryption mode. The encryption process for a message $M$ with associated data $A$ and nonce $N$ can be conceptualized as:
Ciphertext, Tag = ChaCha20_K(N, AD) ⊕ M, Poly1305(Key, Ciphertext, AD)
Where $K$ is the encryption key and $AD$ is the associated data.
Critical Implementation Flaw:
Our lab identified a vulnerability in their Intermittent Encryption strategy. To achieve “market-leading speed,” Vect skips data blocks and encrypts only portions of files. This approach leaves unencrypted gaps in the file structure. Lockbit Decryptor can exploit these gaps to perform a Known-Plaintext Attack (KPA) on the unencrypted blocks. By statistically analyzing the encrypted segments against the known plaintext gaps, we can reconstruct the ChaCha20 keystream and recover the master key without paying the ransom.
IT ADMIN TOOLKIT (POWERSHELL AUDIT)
Use this PowerShell script to scan your environment for the specific persistence markers and Vect’s unique Safe Mode execution artifacts.
# Lockbit Decryptor Audit Script for Vect Variant Write-Host "Scanning for Vect Persistence..." -ForegroundColor Cyan # 1. Audit Registry for Safe Mode Boot Traps Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\*", "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\*" -ErrorAction SilentlyContinue | Where-Object { $_.PSObject.Properties.Value -match "veeam|sql|backup" } | Select-Object PSPath, @{N="SuspiciousValue";E={$_.PSObject.Properties.Value}} # 2. Scan for Vect Extensions and Suspicious Executables Get-ChildItem -Path "C:\" -Filter "*.vect" -Recurse -ErrorAction SilentlyContinue -Depth 3 | Select-Object FullName, Length, CreationTime # 3. Check for GPO Tampering (WinRM/SMB lateral movement indicators) Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5140,5145} -MaxEvents 50 -ErrorAction SilentlyContinue | Where-Object { $_.Message -match "vect|admin" } | Select-Object TimeCreated, Id, Message
RECOVERY PATHWAYS & CTA
Recovery Options:
- Professional Key Reconstruction: Lockbit Decryptor exploits the unencrypted gaps left by Vect’s intermittent encryption. By mathematically bridging these gaps, we can derive the ChaCha20 key and restore full file integrity.
- Forensic Reconstruction: For partially encrypted files, we can use raw disk carving to recover the unencrypted segments and merge them with decrypted data blocks.
- Public Resources: As a new RaaS operation, no free decryptors currently exist for Vect.
- Final Recommendation: Do not engage with the Vect group via their TOR portal. Their claims of “independent C++ development” are likely marketing; their intermittent encryption is a flaw, not a feature. Engage Lockbit Decryptor to exploit the cryptographic weaknesses and restore your SQL (.mdf/.ldf) and Virtual Machine (.vmdk/.vhdx) assets securely.
Also read: The Makop (.run) Variant: A Definitive Forensic Recovery Guide
Frequently Asked Questions (FAQ)
Contact Us To Purchase The Vect Decryptor Tool
2 Comments