Security researchers have discovered a new ransomware-as-a-service (RaaS) group which has already victimized organizations in Brazil and South Africa.
Dubbed “Vect,” the group is currently onboarding affiliates after launching a recruitment program in December 2025, according to ransomware specialist Halcyon.
The group has claimed that its malware was built using C++ rather than repurposing leaked source code from the likes of Lockbit 3.0 or Conti, as is more common.
It uses the ChaCha20-Poly1305 AEAD encryption algorithm, which is said to be two-and-a-half-times faster than AES-256-GCM on systems without hardware acceleration. It is deployed using intermittent encryption techniques, whereby only blocks of data are scrambled for speed.
“Despite its short lifespan, the group shows unusual maturity, advertising cross-platform ransomware targeting Windows, Linux and VMware ESXi, Safe Mode execution to suppress security tools, and fast intermittent encryption designed for speed and disruption,” Halcyon claimed.
“Vect appears to be in an early validation phase, with two claimed victims in Brazil and South Africa, and is likely testing capabilities ahead of broader expansion.”
Read more on RaaS: New Chaos Ransomware Emerges, Launches Wave of Attacks.
The affiliate revenue-sharing model is apparently a “generous” one, with a $250 entry fee waived for applicants inside the Commonwealth of Independent States (CIS) – hinting at the group’s location.
The maturity of the operation signals that it’s being run by some experienced RaaS players, claimed a separate analysis by Red Piranha.
“The group's operational security is notable, utilising Monero for payments to maintain financial anonymity, TOX protocol for encrypted peer-to-peer affiliate communications, and exclusively TOR hidden services for infrastructure with no clearnet presence,” Red Piranha explained in a research note.
“This combination of custom-built malware, modern encryption, multi-platform capabilities, and strong OPSEC measures suggests Vect is operated by experienced threat actors who may represent a rebrand or new venture by established ransomware affiliates.”
The vendor added that initial access is likely achieved via exposed RDP/VPN, stolen credentials, phishing or vulnerability exploitation.
Vect operates a classic double extortion model, with both of its victims to date apparently being listed on its public-facing leak site.
Mitigations to Consider
Halcyon recommended network defenders observe the following to reduce the risk posed by Vect:
- Harden edge appliances against initial access: This should include Fortinet accounts and management interfaces, as Vect has been requesting compromised Fortinet accounts on a Russian-speaking forum. Apply updates promptly, restrict admin exposure, and enforce strong authentication for all remote and privileged access
- Contain the threat across Windows, Linux and VMware ESXi: Segment management networks, restrict access to hypervisor management planes, and limit lateral movement paths through administrative protocols and file shares
- Focus detection on Safe Mode and intermittent encryption: Increase monitoring for suspicious Safe Mode boots, and rapid, selective file encryption patterns indicating intermittent encryption. Centralize and review relevant logs and telemetry for speedy scoping and containment
- Deploy anti-ransomware controls: Use a solution that blocks execution of malicious binaries before they run, detects and prevents ransomware runtime behavior and data exfiltration attempts, and blocks tampering and network intrusion