Summary:
A new ransomware gang calling itself Vect is recruiting affiliates and preparing for further operations. Operating as a ransomware-as-a-service (RaaS), the group launched its affiliate program in late December 2025 and began active operations a week later. Vect claims its malware was built independently using C++ (rather than repurposing leaked source code from predecessors), targets multiple operating systems, and boasts strong operational security. The group has publicly listed two alleged victims on its leak site, though there is no victim or third-party confirmation beyond the actors’ own claims.
Background:
On 31 December 2025, an account operating under the name “vect” posted an affiliate recruitment advertisement on a Russian-language cybercrime forum. Active targeting began shortly thereafter in early January 2026. The group’s infrastructure consists of three TOR-based components observed through leak site monitoring:
- An affiliate onboarding portal
- A victim communication platform
- A public-facing site for publishing stolen data
The affiliate program advertises a generous five-tier revenue-sharing model, dedicated negotiators, ticket-based support, and multilingual interfaces. Entry fees vary by geography, with applicants paying no fee if they located inside one of the former Soviet republics that make up the Commonwealth of Independent States (CIS) and paying $250 if they are located outside the CIS, a model commonly used by Russian-speaking ransomware operations. The original Vect account is still active, despite the original forum post now being hidden by moderators.
Claimed Victims:
Vect has claimed to compromise two victims since 6 January, one in Brazil and one in South Africa. The group has not yet published any victim data:
Risk Analysis:
Encryption Methods: The group advertises the use of ChaCha20-Poly1305 AEAD and emphasizes locker speed, which is more consistent with partial or selective file-level encryption than full-file encryption. ChaCha20-Poly1305 is a stream cipher that generally outperforms AES on systems lacking dedicated hardware acceleration, which can account for the performance claims. In a later follow-up response to a user inquiry, the developer stated that the observed speed is achieved through intermittent encryption, whereby the malware skips data blocks by default and encrypts only portions of each file rather than processing files in their entirety. (Advertisement: “ChaCha20-Poly1305 AED – современный и безопасный алгоритм шифрования” / “Высокая скорость локера – самый быстрый на рынке”).
Platform Support: The ransomware functions across three environments: Windows, Linux, and VMware ESXi. This cross-platform approach aligns with broader ransomware trends targeting virtualized infrastructure for maximum disruption. We assess the ransomware evades Endpoint Detection and Response (EDR) through execution in Windows Safe Mode, enabling encryption while security services are suppressed.
Advertised Offensive Features:
Operational Security Practices
The advertisement and supporting intelligence indicate attention to anonymity:
Threat Analysis:
The operational maturity displayed with purpose-built tooling, infrastructure across multiple TOR services, structured affiliate terms, and attention to operational security points to individuals with prior experience in ransomware operations. However, the limited number of claimed victims and focus on targets in Brazil and South Africa may suggest the group is in an early validation phase, testing capabilities before scaling to more lucrative targets in North America or Western Europe.
On 21 January, the original Vect account was observed requesting compromised Fortinet accounts on the same Russian-speaking forum, indicating the individual is still highly active. The technical claims originate primarily from the group’s self-promotional materials and have not been independently validated through malware analysis. Actual capabilities may differ from advertised features.
Mitigations:
- Initial Access Hardening for Edge Appliances: Prioritize hardening and access control for perimeter devices and remote access, including Fortinet accounts and management interfaces. Apply updates promptly, restrict administrative exposure, and enforce strong authentication for all remote and privileged access. [M1051] [M1032] [M1026]
- Containment for Cross-Platform and ESXi Impact: Assume Vect may target Windows, Linux, and VMware ESXi. Segment management networks, restrict access to hypervisor management planes, and limit lateral movement paths through administrative protocols and file shares. [M1030] [M1035]
- Detection Focus on Safe Mode and Intermittent Encryption: Increase monitoring for suspicious Safe Mode boots and associated security control suppression, as well as rapid, selective file encryption patterns consistent with intermittent encryption. Centralize and review relevant logs and telemetry to support rapid scoping and containment. [M1047] [M1042]
- Deploy Dedicated Anti-Ransomware Controls: Deploy a dedicated anti-ransomware solution that blocks execution of malicious binaries before they run [M1038], detects and prevents ransomware runtime behavior and data exfiltration attempts [M1040], and prevents tampering and network intrusion that enable propagation and encryption [M1031].
Indicators of Compromise (IOCs):
Monero Wallet Address (Affiliate Recruitment):
876yVkL4S7p5rWKbTxHs6e7gbTeqqas4AcC6WwMZ1d8r0B31jYBzqJFHJ88E33cYcc3jfKjQcBp3oqN8bLEan2JTzYkyq8RdVAkTv
TOR Infrastructure:
bu7zr6fotni3qxxoxlcmpikwtp5mjzy7jkxt7akflnm2kwkbdtgtjuid[.]onion
References:
Source Summary
This alert is based on information from dark web monitoring, the group’s original recruitment advertisement, leak site observations, and published threat intelligence. Technical claims attributed to the advertisement reflect the group’s self-reported capabilities and have not been verified through independent reverse engineering. Assessments may be revised as additional evidence becomes available.
The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.
Click Here For The Original Source.
