Broken VECT 2.0 ransomware is silently destroying any file larger than 131 KB on Windows, Linux, and ESXi - paying the ransom recovers nothing

Researchers found a serious bug in VECT 2.0, a new ransomware family making the rounds: the encryption routine corrupts any file larger than about 131 KB instead of encrypting it reversibly. Files smaller than the threshold encrypt and decrypt normally; everything bigger gets permanently destroyed. Operators don't seem to know yet, so victims who pay get a working decryption tool that recovers small files and tells them the large ones are 'corrupted' - which they are, because VECT broke them on the way in. The bug affects Windows, Linux, and VMware ESXi variants. Any large file on a VECT 2.0-hit system is irrecoverable regardless of whether the ransom is paid.

Check

Make sure every host that handles documents, databases, or virtual machine images has tested, off-network backups - because if VECT 2.0 hits, restore from backup is your only path.

Affected

Any Windows, Linux, or VMware ESXi system running unpatched RDP, SMB, or VPN exposure that VECT 2.0 operators are using as initial access. The 131 KB threshold catches almost everything important: Office documents, PDFs, databases, virtual machine disks, source code repos. Small config files survive, which makes the attack look partially recoverable until victims realize the scope.

Fix

Verify backups are off-network (immutable storage, air-gapped tape, S3 object lock) and test restore for at least one large file from each business-critical system. If hit by VECT 2.0, do not pay the ransom - large files cannot be recovered even if the operator delivers a working decryption tool. Restore from clean backup. Watch for VECT 2.0 indicators in EDR feeds; the bug may be patched in future versions.