New ‘Vect’ Ransomware Emerges, Hits Education and Manufacturing Networks Across Two Continents

Aegiron 9 mins0

Vect Ransomware

Date Observed: January 2026
Threat Type: Ransomware-as-a-Service (RaaS)
Targeted Sectors: Education, Manufacturing
Affected Regions: Brazil, South Africa
Threat Status: Active, expanding

Executive Summary

In January 2026, a new ransomware operation calling itself Vect began actively compromising organizations in the education and manufacturing sectors. The operation is structured as Ransomware-as-a-Service, meaning the core developers maintain the ransomware and infrastructure while affiliates carry out intrusions.

Initial incidents show full network compromise, data encryption, and evidence of pre-encryption reconnaissance and credential abuse. Victims experienced operational outages, loss of access to academic or production systems, and credible risk of data exposure.

Vect did not behave like a test campaign. The attacks were coordinated, destructive, and consistent with experienced operators launching a rebranded or rebuilt ransomware platform.

What Was Impacted

Education Sector

  • Student information systems
  • Learning management platforms
  • File servers containing academic records
  • Identity infrastructure (Active Directory)
  • Backup servers connected to the domain

Impact:

  • Class cancellations
  • Loss of access to grading and enrollment systems
  • Administrative shutdowns lasting multiple days

Manufacturing Sector

  • Production scheduling systems
  • Engineering file shares
  • ERP systems
  • Windows-based HMIs and operator stations

Impact:

  • Production stoppages
  • Missed shipments
  • Forced shutdown of plant networks to contain spread

How the Attack Happened

1. Initial Access

Vect affiliates gained initial access using exposed remote services, primarily:

  • Compromised VPN credentials (no MFA)
  • Exposed RDP services
  • Reused credentials from prior data breaches

There is no evidence so far of a zero-day exploit. Access relied on poor authentication hygiene rather than software vulnerabilities.

In at least one education-sector case, access occurred outside normal working hours using a legitimate domain account, indicating credential theft rather than brute force.

2. Establishing Persistence

Once inside the network, attackers:

  • Created new local admin accounts
  • Added existing user accounts to privileged groups
  • Installed scheduled tasks disguised as system updates
  • Dropped lightweight loaders in ProgramData and AppData

Persistence was intentionally low-noise to avoid antivirus alerts.

3. Internal Reconnaissance

Attackers performed extensive discovery before deploying ransomware:

Commands observed:

  • whoami /all
  • net group "Domain Admins" /domain
  • nltest /dclist
  • net share
  • quser
  • tasklist

Tools:

  • Built-in Windows utilities
  • No heavy red-team frameworks observed at this stage

The goal was clearly to identify:

  • Domain controllers
  • Backup systems
  • High-value file servers

4. Lateral Movement

Vect affiliates moved laterally using:

  • SMB with stolen credentials
  • Remote Service creation
  • PsExec-style execution (native Windows methods, not bundled tools)

In multiple environments, the same credentials were valid across dozens of machines, allowing rapid spread.

5. Defense Evasion

Before encryption, attackers attempted to weaken security controls:

  • Disabled Windows Defender via PowerShell
  • Stopped endpoint security services
  • Modified registry keys related to real-time protection
  • Deleted shadow copies using: vssadmin delete shadows /all /quiet

Backup systems connected to the domain were targeted early.

Payloads and Malware Components

Initial Loader

  • Small executable (under 300 KB)
  • Written to disk, not fileless
  • Executed under legitimate system-looking names

Common filenames observed:

  • winupdate.exe
  • svchost32.exe
  • systemcheck.exe

Ransomware Payload – Vect Encryptor

The final payload is a custom Windows encryptor with the following traits:

  • Encrypts local drives and mapped network drives
  • Skips certain system directories to maintain OS stability
  • Uses strong asymmetric encryption
  • Appends a Vect-specific extension to files
  • Drops a ransom note in every directory

Ransom notes are short, direct, and business-focused.

Ransom Note Behavior

The ransom note typically includes:

  • Confirmation that files are encrypted
  • Warning against recovery attempts
  • Instructions to contact attackers via Tor-based portal
  • Threat of data publication if payment is refused

No automated negotiation bots observed yet — communication appears manual.

Data Exfiltration

Although no public leak site was active at the time of first incidents, there are strong indicators of data staging, including:

  • Large outbound transfers prior to encryption
  • Use of command-line compression tools
  • Temporary archive files created and deleted

Vect is highly likely operating a double-extortion model, even if the leak site is not yet public.

Indicators of Compromise (IOCs)

File Paths

  • C:\ProgramData\winupdate.exe
  • C:\Users\Public\systemcheck.exe
  • %AppData%\svchost32.exe

Registry Keys

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinCheck

Suspicious Commands

  • vssadmin delete shadows /all /quiet
  • wmic shadowcopy delete
  • bcdedit /set {default} recoveryenabled no

Network Indicators

  • Outbound connections to Tor nodes shortly before encryption
  • SMB authentication from a single host to many systems in short time

(Hashes and IPs vary per incident and are changing rapidly.)

Detection and Threat Hunting Guidance

Endpoint Detection Ideas

Look for:

  • Execution of unknown binaries from ProgramData
  • New scheduled tasks created outside change windows
  • Security services stopped unexpectedly
  • Defender disabled via PowerShell

Example logic:

Process where
  ParentProcess = powershell.exe
  AND CommandLine contains "Set-MpPreference"

Lateral Movement Hunting

  • One account authenticating to many systems within minutes
  • SMB or service creation activity outside admin work hours

Focus on:

  • Event ID 4624 (Type 3 logons)
  • Event ID 7045 (New service installed)

Ransomware Early Warning

  • Sudden deletion of shadow copies
  • Rapid file renaming with new extensions
  • CPU spikes on file servers

Why Education Was Targeted Early

Education environments typically have:

  • Flat networks
  • Shared credentials
  • Legacy systems
  • Limited 24/7 monitoring

Vect operators clearly prioritized speed and impact, not stealth over weeks.

Final Takeaway

Vect is not amateur ransomware.
It behaves like a rebranded or rebuilt operation run by experienced actors. The choice of victims, clean execution, and coordinated attack flow strongly suggest prior ransomware experience.

Expect:

  • Expansion into healthcare and local government
  • A public leak site to appear
  • Faster affiliate onboarding

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.