New ransomware threatening Brazilian companies detected currently

The ransomware operation identified as Vect was detected in early January 2026, with Brazilian and South African organizations among the first victims. The attacks focus on sectors such as education and manufacturing, resulting in the theft of up to 150 gigabytes of data.

Franchise model of cybercrime

Vect operates under the Ransomware-as-a-Service (RaaS) model, allowing developers to provide the malware and the necessary infrastructure, while affiliates carry out the attacks. Profits are shared among those involved.

To become affiliates, criminals must pay a fee of US$ 250 in Monero, a cryptocurrency that makes financial tracking difficult, unlike Bitcoin. A cyber threat analyst emphasizes that "the exclusive use of Monero demonstrates a deep understanding of operational security."

Cutting-edge technology at the service of crime

Vect stands out for its encryption algorithm ChaCha20-Poly1305, known for its speed on any hardware, even on simpler equipment. This gives the ransomware the ability to encrypt files quickly, making detection by security teams more difficult.

Attack on multiple platforms

Unlike many ransomwares that exclusively target Windows, Vect can also attack Linux systems and VMware ESXi. The latter is a virtualization platform that allows multiple virtual machines to operate on a single physical server, maximizing resources.

The anatomy of a Vect attack

Attackers typically initiate the attack through poorly secured RDP (Remote Desktop Protocol) or VPN (Virtual Private Network) connections. The phishing technique, which involves fake emails, is also a common gateway for infiltration.

Once inside, it is crucial for the attackers to obtain administrator permissions, often through techniques like credential dumping. Vect then conducts a full reconnaissance of the network to identify vulnerable targets.

The ransom that does not end with payment

The ransomware not only encrypts files but also steals sensitive data, characterizing a double extortion model. Even if the victim manages to recover the files, the criminals may threaten to disclose sensitive information.

Silent mode trick

A sophisticated approach of Vect is forcing computers to restart in Safe Mode, hindering intervention from security software. This change allows the malware to operate undetected.

Destroying All Emergency Exits

Before encryption, Vect shuts down processes that could hinder its progress, such as databases and backup software. Additionally, it employs destructive commands to eliminate security copies of the system.

Invisible infrastructure

The operation of Vect takes place through the Tor network, which anonymizes connections, and the criminals use portals for recruiting affiliates and negotiations. This makes them difficult to track.

Who is behind Vect?

The creators of Vect developed the malware in C++, revealing an elaborate project and not merely a reuse of codes from other attacks. The structure of the affiliate program demonstrates a professional level of management and support for the attackers.

Brazil and South Africa are the first victims

Organizations in the education and manufacturing sectors in Brazil and South Africa were the first to face the consequences of these attacks. The implications include not only operational disruptions but also possible legal consequences and damage to reputation.

The international nature and complexity of the operations complicate investigations by authorities. To stay informed about security and technology, readers can follow our portal on social media and subscribe to our newsletters.