Add content from: VECT: Ransomware by design, Wiper by accident

Author: HackTricks News Bot

src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md

@@ -609,6 +609,34 @@ struct Header {
 - Once verified, the bot sends a `MsgType=0` body carrying the operator-defined **group string** (e.g. `android-postboot-rt`). If the group is enabled, the C2 responds with `MsgType=2 (confirm)`, after which tasking (MsgType 5–12) begins.
 - Supported verbs include SOCKS-style TCP/UDP proxying (residential proxy monetization), reverse shell / single command exec, file read/write, and **Mirai-compatible DDoSBody** payloads (same `AtkType`, `Duration`, `Targets[]`, `Flags[]` layout).
 
+## Partial-encryption ransomware: lost stream-cipher nonces
+
+Some ransomware families partially encrypt files for speed, but when they use a **stream cipher** independently on multiple chunks, **every encrypted region needs its own persisted nonce/IV**. If the sample generates a fresh nonce per chunk and overwrites the same 12-byte buffer inside the loop, then appends only the final value to disk, the previous chunks become **cryptographically unrecoverable** even if the attacker later shares the key.
+
+Typical broken pattern:
+
+```c
+for (i = 0; i < 4; i++) {
+    randombytes_buf(nonce, 12);                // same buffer reused each round
+    crypto_stream_chacha20_ietf_xor(chunk, chunk, len, nonce, key);
+}
+write(fd, nonce, 12);                          // only the last nonce survives
+```
+
+Practical triage points:
+- **Confirm the real primitive** instead of trusting actor claims or third-party reporting. If the binary calls `crypto_stream_chacha20_ietf_xor`, this is raw **ChaCha20-IETF** stream encryption, not AEAD.
+- **Check the file format**. ChaCha20-Poly1305 adds a 16-byte tag, while raw `crypto_stream_*_xor` output is only `ciphertext XOR keystream` plus whatever metadata the malware stores itself. A file ending in a single 12-byte trailer and no authentication tag is a strong sign that only one nonce was persisted.
+- **Map chunk offsets and sizes** from code, not CLI text. Many lockers parse `--fast` / `--secure` style options that never influence the encryption path. Verify the variables are actually read after parsing.
+- **Separate recoverable from destroyed regions**. Bytes outside the encrypted chunks remain plaintext; only the chunks whose exact `(key, nonce)` pair is known are decryptable. This matters for salvage, carving, and ransom-payment decisions.
+- **Treat CSPRNG-generated missing nonces as lost**, not derivable. If earlier nonces come from `randombytes()`, `RtlGenRandom`, `getrandom()`, or `/dev/urandom` and are not written anywhere else, they cannot be reconstructed by reversing.
+
+Quick analyst workflow:
+1. Identify the stream/AEAD API in the binary (`crypto_stream_chacha20_ietf_xor` vs `crypto_aead_*`).
+2. Reconstruct the on-disk layout from code and from an encrypted sample.
+3. Count how many times the per-file loop generates a nonce and how many nonces are stored.
+4. Compare claimed operator modes with the real code paths and constants.
+5. Report the exact file-size threshold and which regions are permanently lost.
+
 ## References
 
 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
@@ -628,5 +656,8 @@ struct Header {
 - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations – [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)
 - [Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing](https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/)
 - [Nodejs-Tracer – GitHub](https://github.com/CheckPointSW/Nodejs-Tracer)
+- [Check Point Research – VECT: Ransomware by design, Wiper by accident](https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/)
+- [Libsodium documentation – ChaCha20 stream cipher APIs](https://doc.libsodium.org/advanced/stream_ciphers/chacha20)
+- [RFC 8439 – ChaCha20 and Poly1305 for IETF Protocols](https://www.rfc-editor.org/rfc/rfc8439)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}