New Vect 2.0 Ransomware Targets Windows, Linux, and ESXi. And Paying Won’t Save Your Files.

What Happened?

Vect 2.0 is a Ransomware-as-a-Service program that first appeared in December 2025 on a Russian-language cybercrime forum. The group claimed its first two victims in January 2026 and released version 2.0 in February 2026, expanding its reach across Windows, Linux, and VMware ESXi systems.

Vect 2.0 operates under the “Exfiltration, Encryption, Extortion” model, combining data theft and encryption with public shaming on a data leak site to pressure victims into paying. An entry fee of $250, payable in Monero, is required for affiliates, with the fee waived for applicants from CIS countries.

Here is the part that changes the calculus entirely. Despite its polished builder panel, a critical coding flaw effectively turns it into a data wiper. Any file exceeding 131,072 bytes is not properly encrypted but instead rendered permanently unrecoverable. Check Point’s Eli Smadja confirmed that paying a ransom is futile, since the decryption information is destroyed immediately as the malware operates.

The Impact

Windows, Linux, and ESXi variants share an identical encryption design built on libsodium, with the same file-size thresholds and the same nonce-handling flaw throughout, confirming a single codebase ported across all three platforms. That means the destruction is consistent regardless of which system gets hit.

The ESXi variant targets VMware ESXi hypervisors, wiping logs and encrypting victim files at the VMware File System mount point. It also supports SSH-based lateral movement, attempting to use available credentials to connect to known SSH hosts. A single compromised ESXi host can cascade across every virtual machine running on it.

Targeted sectors include manufacturing, education, healthcare, and technology, with a focus on organizations that have critical operational or personal data and often limited downtime tolerance. These are exactly the environments where file destruction, not mere encryption, causes the most irreversible damage.

The convergence of supply chain credential theft, a maturing RaaS operation, and mass dark web forum mobilization represents an unprecedented model of industrialized ransomware deployment. The low affiliate barrier means more attackers will gain access to these tools, regardless of the technical flaws underneath.

How to Avoid This

Because paying does not work with Vect 2.0, prevention and recovery preparation are the only viable approaches.

• Maintain offline, immutable backups following the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite and air-gapped from your primary network. Test restoration procedures regularly under realistic failure scenarios. An untested backup is not a backup – it’s a liability that creates false confidence.
• Isolate ESXi management interfaces from the rest of your network. Limit which accounts can access virtualization infrastructure and apply strict multi-factor authentication on all administrative logins.
• Security teams should watch for PowerShell-based disabling of Windows Defender, event log clearing activity, and unusual safe-mode boot configuration changes, which are key behavioral indicators of this ransomware.
• Known indicators of compromise include the historical IP 158.94.210.11:8000, and the identified payload filenames svchostupdate.exe for Windows and encesxi.elf for Linux and ESXi systems. Block these where applicable.
• Validate the integrity of third-party software dependencies. Given Vect’s partnership with TeamPCP, supply chain compromise is a confirmed entry vector.