Newly developed ransomware accidentally deletes files, making extortion difficult
A critical coding error on a new type of ransomware being deployed by cybercriminals deletes all files larger than 128 kilobytes—about the size of a short text-only document—instead of encrypting them as intended.
This mishap could leave the bad guys without the trove they need to extort a payment from any organization, including hospitals and health systems. But if proper backups aren’t in place, the data gets lost forever anyway.
Cybersecurity experts at Check Point Research (CPR) were the first to discover the issue with VECT 2.0, a type of ransomware available on dark web forums, made popular after its developers—known only as VECT Ransomware—successfully launched two cyberattacks against supply-chain infrastructure.
In a report released Tuesday, CPR included a screenshot of VECT saying it had teamed up with the notorious cybercrime syndicate TeamPCP, believed to be located in Russia. The cybersecurity firm said TeamPCP was behind “several supply-chain attacks in March 2026,” and that the plan was for VECT to hold the future victims of TeamPCP for ransom, using VECT 2.0.
Problem is, the error with VECT would cause nearly all data it intends to encrypt and move offsite to be deleted, including everything from photos to financial records.
CPR said it discovered the error, which is caused by a “critical flaw in the encryption implementation” the program would ideally use to capture information from the databases of victims.
If victims paid whatever was demanded by hackers and were given a decryption code to reclaim their data, that application would simply not work because the data would be wiped, CPR wrote.
A ‘data wiper with a ransomware facade’
In what seems to be a pattern of mistakes, researchers confirmed that VECT 2.0 does not work as advertised. To put it plainly, the developers boast about security features that make the ransomware seem more powerful and secure than it actually is.
According to CPR, multiple features related to security and encryption modes simply do not work, painting the picture of an amateur criminal gang with “operational ambition” but lacking the “cryptographic and software engineering maturity that does not match the scale of the operation they are attempting to run.”
To date, there are no known cyberattacks in healthcare credited to VECT, and TeamPCP seems focused on IT and telecommunications infrastructure. However, the reality of what VECT 2.0 does may be a lesson about the futility hospitals face when paying a ransom—because on paper at least, it’s similar to ransomware deployed against hospitals all the time.
“VECT 2.0 cannot function as recoverable ransomware; it is operationally a data wiper. Victims who pay the ransom cannot receive a functional decryptor for their most critical files – not because the operator is uncooperative, but because the nonces required for decryption no longer exist,” CPR wrote.
Its full report is available by clicking here.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.