Organizations hit by the wave of Trivy and LiteLLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research.
Vect's leak site lists 25 organizations since January, and four since March, which is when the extortions from the supply chain attacks began. It's unclear, however, how many - if any - of the listed orgs are tied to Trivy and LiteLLM-related compromises.
"On April 15, the group claimed two larger victims, Guesty (700GB) and S&P Global (250GB), allegedly tied to earlier TeamPCP compromises," Eli Smadja, group manager at Check Point Research, told The Register. "However, these claims cannot be independently verified, and there is no confirmed visibility into how many of these cases resulted in successful ransom payments versus data being leaked without payment."
Neither Guesty nor S&P Global responded to The Register's inquiries.
Vect is one of the crime crews partnering with TeamPCP to leak data and extort victims of the ongoing attacks that infected Trivy, LiteLLM, Checkmarx, and Telnyx.
After initially compromising the security and developer tools, infecting them with self-propagating credential-stealing malware, TeamPCP and Vect announced their new partnership on BreachForums, bragging: "we will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns."
Plus Vect announced a partnership with the data leak site itself, and said that every registered BreachForums user can use Vect's ransomware, negotiation platform, and website.
So Check Point researchers opened a BreachForums account, got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code - "not technically sophisticated" and "amateur execution" are how Check Point's research team describes the crims - and they appear to have accidentally written a data wiper.
Instead of encrypting large files, which is what ransomware is supposed to do, Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB).
"Full recovery is impossible for anyone, including the attacker," the security analysts wrote. "At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions."
The ransomware, as advertised, includes Windows, Linux, and ESXi variants. All share the same encryption design built on libsodium, the same file-size thresholds, the same four-chunk logic, and the same flaw: The encryption implementation discards three of four decryption nonces for every file larger than 128 KB.
In addition to the nonce-handling flaw, the malware analysts say they spotted "multiple" other bugs and design failures across all ransomware variants, suggesting that even criminals can't vibe code their way to a successful operation. As the researchers note: "The authors know what features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all." ®
Source: The register