Inside Vect Ransomware-as-a-Service

Vect ransomware, a new group that emerged in January 2026, has recently begun attracting attention in the cybersecurity space for its strategic partnerships, which are helping it expand. One notable collaboration is with TeamPCP, with evidence already surfacing as the latest victims on Vect's leak site appear to have been posted on behalf of TeamPCP.

SpiderLabs assesses that Vect ransomware poses an emerging threat due to its partnership with TeamPCP, a threat actor known for recent supply chain attacks that compromised widely trusted open-source security tools, including vulnerability scanners Trivy and KICS, the AI gateway LiteLLM, and the official Python SDK of Telnyx. Vect's open affiliate program, which allows anyone to join, significantly expands its reach and attack capacity. This combination of advanced supply chain tactics from an experienced partner and a low barrier to entry for new affiliates creates potential for rapid escalation in both attack volume and sophistication.

Figure 1. Vect ransomware leak site.

Vect ransomware has also partnered with BreachForums, further expanding its operations by distributing affiliate keys to forum members and granting exclusive access to its capabilities, making all BreachForums members affiliates of the Vect RaaS operation. These partnerships with BreachForums and TeamPCP have allowed the group to increase its membership, target larger supply chain operators, and deploy ransomware at scale, resulting in greater impact and disruption.

Figure 2. An underground forum post from the Vect ransomware group announcing its partnership with BreachForums.

Figure 3. BreachForums partnership announcement on Vect’s leak site.

Victimology

Vect has published a total of 25 victims on its leak site, with the first victim posted on January 5. The United States is the most targeted country, accounting for seven of the reported victims, while the Technology sector is the most frequently targeted industry.

Figure 4. Top countries targeted by Vect ransomware.

Vect also maintains an account on X (formerly Twitter) where it posts announcements and claims of targeted victims. Some of these posts appear to carry a taunting tone, which may be interpreted as intimidation or psychological pressure on the targeted organizations.

Notably, several companies mentioned on Vect’s X account do not appear on its ransomware leak site and the group claims to have “300 unreleased victims.” However, there are also some inconsistencies in its posts. While Vect claims it does not target hospitals or non-profit organizations, a previously listed victim appears to have come from the healthcare sector, which contradicts that claim.

Figure 5. Vect’s X post claiming that it does not target hospitals or non-profit organizations.

Inside Vect’s RAAS Panel

There are two ways to become an affiliate of the Vect Ransomware-as-a-Service (RaaS) program.

The first is through the “Register” option on its leak site. Registration requires an invite code, which costs $250 in Monero Crypto (XMR).

Figure 6. Invite code access instructions on Vect’s leak site.

The second way is through joining BreachedForums. Once a user registers on the forum, an access key is automatically delivered to their inbox, providing immediate entry into the program.

Figure 7. Vect access key delivered automatically upon registration at BreachedForums.

Affiliate Panel

After logging in, affiliates are greeted by a dashboard displaying key operational statistics, including the number of builds, login activity, total online time, and active targets.

Figure 8. Vect affiliate panel.

To generate a payload, affiliates must first create a victim folder. From there, the builder supports multiple target platforms, including Windows, Linux, ESXi, and an unreleased exfiltration tool. This shows that the threat actors behind Vect are still actively developing payloads for their operations. 

Figure 9. Vect ransomware binary builder.

Figure 10. A ‘coming soon’ message displayed under the exfiltration tool builder.

Commission Structure

Vect also uses a tiered commission model, where affiliates start with an 80% cut at Level 1, with the cut increasing incrementally as total ransom earnings grow. Affiliates who surpass $75 million reach the maximum level, Level 5, earning 89% while the panel retains only 11%.

Figure 11. Vect commission structure.

The panel also includes tabs for announcements, FAQs, and rules, but as of writing, these sections remain empty with no content published yet.

Ransomware Payloads

While building a sample from the Vect ransomware panel, an interesting detail immediately stood out: the compiled payload contained strings referencing Devman 3.0, a separate ransomware group with over 180 claimed victims. These strings appeared in both the usage guide and debug logs during encryption. Also, a closer comparison of the ransom notes from both Devman and Vect revealed noticeable similarities in structure and phrasing, suggesting a possible connection between the two. Notably, Devman reportedly stepped away from operations in February, days after the first Vect ransomware sample was seen on Virus Total. Earlier Vect samples (V2.0) from Virus Total are identical, with the “Devman 3.0” string in the panel-generated sample as its only difference.

Figure 12. Usage of built Vect ransomware.

Figure 13. Debug logs when running Vect ransomware.

Figure 14. Striking similarities between Vect and Devman ransomware notes.

Ransomware Payloads

Windows

For Windows, Vect ransomware has the following usage:

The sample implements obfuscated strings to hinder analysis. Rather than storing plaintext strings for commands and data, it keeps them as encrypted bytes that are assembled and decoded at runtime using rotating XOR.

Figure 15. Deobfuscation routine.

Lateral Movement

One notable behavior of this sample is its use of multiple lateral movement methods, providing several paths for propagation across a network, depending on what is available in the target environment. All spread functions take advantage of hardcoded Base64-encoded credentials embedded within the sample, which can be customized on the panel or overridden at execution using the “--creds” parameter.

The sample implements the following spread functions:

• RDP - copies itself to each domain computer, then stores credentials via cmdkey

• SMB - copies itself to ProgramData via SMB with a local subnet fallback if AD is unavailable

• WinRM - drops and remotely executes the payload via Invoke-Command over a WinRM session

• PSExec - copies itself to each target, creates a randomly named service via sc.exe to execute the payload, then deletes the service to minimize traces

• Scheduled Task via CIM - copies itself to each target, registers a randomly named Scheduled Task running as SYSTEM via CIM session

Based on the payload usage parameters, one of the listed flags is --gpo, described as enabling GPO spread. However, closer analysis tells a different story:

In this function, the debug string suggests GPO deployment:

Figure 16. GPO deployment.

Despite the "GPO deploy.." label, analysis of the PowerShell script generated at runtime reveals a no Group Policy enumeration or modification within the function. This appears to be a mislabeling by the malware author. Instead, the module remotely registers Scheduled Tasks over CIM sessions.

Figure 17. Script for lateral movement

The executed script generates a random task name with a hardcoded "DM" prefix, which may reference Devman, followed by four random uppercase letters and is executed under SYSTEM at the highest privilege level. It uses New-CimSession to interact directly with WMI over WinRM. After execution, the task and CIM session are removed within 500 milliseconds, cleaning up artifacts on the target machine.

Encryption

The ransomware encrypts files using ChaCha20 and appends the ".vect” extension to each encrypted file, then drops the following ransom note in every directory:

Figure 18. Vect ransom note.

Linux and ESXI Ransomware

The ESXi and Linux variants of Vect ransomware payload are similar, with ESXi having additional capability to terminate running virtual machines. Below is the usage of both variants:

Both variants implement a geo-fencing check by inspecting system locale variables (LANG, LC_ALL) and the /etc/timezone configuration file and compare them against a hardcoded list of country codes and time zones associated with CIS and post-Soviet regions. If a match is detected, the malware aborts execution and skips encryption.

Excluded countries include:

• Russia

• Ukraine

• Belarus

• Kazakhstan

• Kyrgyzstan

• Tajikistan

• Turkmenistan

• Uzbekistan

• Armenia

• Azerbaijan

• Georgia

• Moldova

• Serbia

Before encrypting, the malware terminates security, backup, and database processes using “pkill -9” against a hardcoded list of application names — ensuring that protected or locked files are accessible during encryption. Targeted applications include:

Security Applications

• CrowdStrike Falcon

• SentinelOne

• Cylance
• Symantec
• Bitdefender
• Kaspersky
• CarbonBlack
• ClamAV
• Wazuh
• Tripwire
• RKHunter / Chkrootkit

Backup

• Veeam
• Acronis
• Bareos
• BackupExec

Database application

• MariaDB / MySQL
• PostgreSQL
• MongoDB
• Redis
• Cassandra
• CouchDB
• OrientDB / ArangoDB
• CockroachDB

VM Termination

For the ESXi variant, it executes a series of shell commands that enumerate and terminate all running virtual machines across VMware ESXi, VirtualBox, and KVM/libvirt environments using the commands below. This ensures their disk images are unlocked and available for encryption.

vmware-cmd vmsvc/getallvms 2>/dev/null | awk '{print $1}' | xargs -I {} vmware-cmd {} stop hard

esxcli vm process list 2>/dev/null | grep 'World ID' | awk '{print $3}' | xargs -I {} esxcli vm process kill -w {} -t force

VBoxManage list runningvms 2>/dev/null | awk '{print $2}' | xargs -I {} VBoxManage controlvm {} poweroff

virsh list --name 2>/dev/null | xargs -I {} virsh destroy {}

Encryption

Both ESXI and Linux variants claims that it supports multiple modes for intermittent encryption, allowing the threat actor to balance encryption speed depending on the target environment:

• Fast mode (--fast) — encrypts only the first 1MB of each file, maximizing speed

• Medium mode (--medium) — encrypts 4 parts of 64MB each per file

• Secure mode (--secure) — encrypts 100% of each file (default)

Files are encrypted using ChaCha20, appended with the .vect extension, and a ransom note is dropped in every directory.

Figure 19. Vect ransom note.

Conclusion

Vect represents a notable emerging threat in the ransomware landscape, distinguished not only by its multi-platform support but also by the strategic partnerships it has formed with Breach Forums and TeamPCP, allowing it to rapidly expand its affiliate base and operational reach.

The presence of Devman strings within the payload, combined with ransom note similarities, the hardcoded "DM" prefix, and the timing of Devman's exit, suggest a possible connection between the two groups. While the exact nature of this relationship remains unclear, these indicators warrant further investigation.

Indicators of Compromise