Full Report
'Full recovery is impossible for anyone, including the attacker' Organizations hit by the wave of Trivy and LiteLLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research.…
Analysis Summary
# Incident Report: Vect Supply-Chain Follow-on Extortion & Data Destruction
## Executive Summary
A wave of supply-chain compromises targeting developer tools (Trivy, LiteLLM) led to follow-on extortion campaigns by the threat group "Vect" in partnership with "TeamPCP." Research reveals that the Vect 2.0 ransomware is functionally a **data wiper** due to amateur coding flaws; any file larger than 128 KB is permanently corrupted, making data recovery impossible even if a ransom is paid.
## Incident Details
- **Discovery Date:** April 2026 (Detailed analysis by Check Point Research)
- **Incident Date:** January 2026 – Ongoing (Supply chain compromises accelerated in March 2026)
- **Affected Organizations:** Multiple, including claims of S&P Global and Guesty (unverified)
- **Sector:** Technology, Finance, Hospitality, and Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** January 2026 (Initial sightings); March 2026 (Escalation)
- **Vector:** Supply-chain compromise of security and developer tools.
- **Details:** TeamPCP infected tools such as Trivy and LiteLLM with self-propagating credential-stealing malware.
### Lateral Movement
- **Details:** Attackers utilized stolen credentials from developer environments to move into production environments and deploy Vect ransomware variants.
### Data Exfiltration/Impact
- **Details:** Data was allegedly exfiltrated for extortion. Post-exfiltration, the Vect ransomware was deployed, resulting in the permanent destruction of files >128 KB across Windows, Linux, and ESXi systems.
### Detection & Response
- **Detection:** Check Point Research accessed the Vect RaaS panel on BreachForums to analyze the builder.
- **Response Actions:** Public disclosure of the "wiper" nature of the malware to prevent victims from making useless ransom payments.
## Attack Methodology
- **Initial Access:** Supply-chain compromise of developer/security tools (Trivy, LiteLLM).
- **Persistence:** Not specified, but likely via credential reuse or backdoored tools.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Use of legitimate security tools (Trivy) as a trojan horse.
- **Credential Access:** Self-propagating credential-stealing malware.
- **Discovery:** Scanning for VM disks, databases, and enterprise assets.
- **Lateral Movement:** Credential-based movement following initial tool infection.
- **Collection:** Automated gathering of enterprise assets (documents, backups).
- **Exfiltration:** Data uploaded to Vect's leak site/infrastructure.
- **Impact:** **Wiping/Data Destruction.** Due to a logic error in handling libsodium decryption nonces, three of four nonces are discarded for files >128 KB, making them mathematically unrecoverable.
## Impact Assessment
- **Financial:** Potentially high losses for those who paid ransoms for unrecoverable data.
- **Data Breach:** Claims of 700GB from Guesty and 250GB from S&P Global (unverified).
- **Operational:** Severe disruption; destruction of VM disks and backups prevents standard disaster recovery.
- **Reputational:** High for compromised software providers (Trivy/LiteLLM).
## Indicators of Compromise
- **Network:** External communication with BreachForums and Vect extortion panels.
- **File:** Vect 2.0 Ransomware (Variants for Windows, Linux, ESXi).
- **Behavioral:** Encryption of files with a logic flaw that discards nonces; specific targeting of files over 128 KB.
## Response Actions
- **Containment:** Organizations should isolate systems running compromised versions of Trivy or LiteLLM.
- **Eradication:** Removal of backdoored developer tools and full credential resets.
- **Recovery:** Traditional restoration from **offline/immutable** backups (since online backups may have been wiped by the Vect malware).
## Lessons Learned
- **Amateur Threats are Dangerous:** "Low-sophistication" actors can be more damaging than pro-tier actors because their "ransomware" may accidentally function as a wiper.
- **Supply Chain Fragility:** Security tools themselves (Trivy) are high-value targets that can bypass traditional defenses.
- **Ransom Inefficacy:** Paying the ransom in this instance provides a 0% chance of recovery for files over 128 KB.
## Recommendations
- **Verify Tool Integrity:** Use checksums and signed binaries for all DevSecOps tools.
- **Zero-Trust for Tools:** Limit the permissions and network access of security scanners and automated developer tools.
- **Immutable Backups:** Maintain offline or immutable backups to recover from wiper attacks where decryption is impossible.
- **Do Not Pay:** In the case of VECT ransomware, payment is futile.