The analysis of VECT 2.0 ransomware reveals a critical flaw in its encryption mechanism that renders most files irrecoverable after being affected by the malware. This issue is consistent across all three platform variants (Windows, Linux, and ESXi) and predates the 2.0 release.
Key Points:
-
Encryption Mechanism:
- For small files ≤ 128 KB: The entire file content is encrypted in a single pass using ChaCha20-IETF with a 12-byte nonce appended at the end of the file.
- For large files > 128 KB: The file is divided into four chunks, each up to 32 KB. Each chunk is processed separately.
-
Nonce Handling:
- A fresh random nonce is generated for each chunk using
randombytes()(or equivalent). - All nonces are written into a shared buffer.
- Only the last nonce from the fourth/final chunk is appended to the file at EOF.
- A fresh random nonce is generated for each chunk using
-
Flaw Impact:
- The first three quarters of large files are irrecoverable because their unique nonces are overwritten and never stored or transmitted.
- Only the final quarter
Read the full article at Check Point Research
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
7
Contents
Ali NematiWritten by Ali
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
