Merge pull request #2179 from HackTricks-wiki/update_VECT__Ransomware_by_design__Wiper_by_accident_20260428_193227

carlospolop · web-flow · commit 30a82817c36c · 2026-05-03T16:55:20.000+02:00
VECT Ransomware by design, Wiper by accident
diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@@ -609,6 +609,20 @@ struct Header {
 - Once verified, the bot sends a `MsgType=0` body carrying the operator-defined **group string** (e.g. `android-postboot-rt`). If the group is enabled, the C2 responds with `MsgType=2 (confirm)`, after which tasking (MsgType 5–12) begins.
 - Supported verbs include SOCKS-style TCP/UDP proxying (residential proxy monetization), reverse shell / single command exec, file read/write, and **Mirai-compatible DDoSBody** payloads (same `AtkType`, `Duration`, `Targets[]`, `Flags[]` layout).
 
+## Partial-encryption ransomware: lost stream-cipher nonces
+
+Some ransomware families partially encrypt files for speed, but when they use a **stream cipher** independently on multiple chunks, **every encrypted region needs its own persisted nonce/IV**. If the sample generates a fresh nonce per chunk and overwrites the same 12-byte buffer inside the loop, then appends only the final value to disk, the previous chunks become **cryptographically unrecoverable** even if the attacker later shares the key.
+
+Typical broken pattern:
+
+```c
+for (i = 0; i < 4; i++) {
+    randombytes_buf(nonce, 12);                // same buffer reused each round
+    crypto_stream_chacha20_ietf_xor(chunk, chunk, len, nonce, key);
+}
+write(fd, nonce, 12);                          // only the last nonce survives
+```
+
 ## References
 
 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
@@ -628,5 +642,8 @@ struct Header {
 - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations – [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)
 - [Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing](https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/)
 - [Nodejs-Tracer – GitHub](https://github.com/CheckPointSW/Nodejs-Tracer)
+- [Check Point Research – VECT: Ransomware by design, Wiper by accident](https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/)
+- [Libsodium documentation – ChaCha20 stream cipher APIs](https://doc.libsodium.org/advanced/stream_ciphers/chacha20)
+- [RFC 8439 – ChaCha20 and Poly1305 for IETF Protocols](https://www.rfc-editor.org/rfc/rfc8439)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
