Stay updated on the latest cyber threats. ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
Copy of WTR Newsletter Email Header (3)-4

In this week's roundup, we feature new research exposing VECT 2.0 ransomware's fatal encryption flaw that renders it closer to a data wiper than ransomware — leaving victims with no recovery path even after paying, then cover a newly disclosed privilege escalation vulnerability dubbed Pack2TheRoot that has lurked undetected in the Linux PackageKit daemon for nearly 12 years, the rapid rise of The Gentlemen ransomware group which has claimed over 320 victims in under a year to become one of the most prolific RaaS operations in the ecosystem, a newly disclosed Linux kernel flaw called Copy Fail that allows any unprivileged local user to gain full root access across virtually all distributions shipped since 2017, and rival ransomware groups — 0APT and KryBit — leaking one another's operational data and exposing that 0APT's entire claimed victim list was fabricated. Read on!

vect

VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi

VECT 2.0 markets itself as ransomware, but researchers have exposed a critical flaw that makes it function more like a wiper — any file over 131KB is permanently destroyed, not encrypted, leaving victims with no path to recovery even after paying the ransom. The malware generates encryption keys for large files but discards three of the four nonces required for decryption the moment it runs, making recovery mathematically impossible. Operating across Windows, Linux, and ESXi, the group runs a formal RaaS affiliate program and has partnered with BreachForums and the TeamPCP hacking collective to accelerate attacks, weaponize previously stolen data, and lower the barrier to entry for new operators.

Read More

Austin Gadient
Austin Gadient, CTO & Cofounder:

"It's assumed that ransomware is reversible. In practice, many organizations still experience data loss even with decryption keys due to flaws in the malware's encryption process. That's why prevention is so important. You don't have to recover what was never damaged in the first place."

On VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi

Nathan Montierth
Nathan Montierth, Threat Intelligence Lead:

"Pack2TheRoot is a great example of why preemptive security is so crucial today. The technical vulnerabilities associated with this exploit have been in some form available and unnoticed for over a decade. It's very possible that the vulnerability has been quietly used by threat actors for years. Security tools which only detect 'known' threats or rely on static signatures will always fall-flat when it comes to new and novel threats. Security tooling must focus more on identifying malicious behavior at a deeper level, rather than specific exploits or malware."

On Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access
Screenshot 2026-04-30 104707

Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Pack2TheRoot (CVE-2026-41651) is a high-severity privilege escalation flaw hiding in the PackageKit daemon that has gone unnoticed for nearly 12 years. Exploitable in seconds, it allows any unprivileged local user to install or remove system packages without authentication, achieving full root access. Affecting default installations across Ubuntu, Fedora, Debian, and RHEL — and any server running the Cockpit management project — the attack surface is exceptionally broad. Organizations should patch to PackageKit version 1.3.5 immediately.

Read more
Screenshot 2026-04-30 104845

'The Gentlemen' Rapidly Rises to Ransomware Prominence

The Gentlemen ransomware group has rocketed to prominence since emerging in mid-2025, claiming over 320 victims and ranking second only to Qilin in Q1 2026 leak-site activity — a milestone that took comparable groups nearly twice as long to reach. The group targets enterprise environments across Windows, Linux, and ESXi with double-extortion tactics, modular tooling, and cross-platform payloads. Affiliates have been observed leveraging SystemBC, Cobalt Strike, and GPO-based domain-wide deployment to maximize impact. Analysts assess them as experienced operators with significant staying power in the ransomware ecosystem.

Read more
root

New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions

Copy Fail (CVE-2026-31431) is a high-severity Linux kernel flaw introduced in 2017 that allows any unprivileged local user to write four controlled bytes into the page cache of a readable file — enough to corrupt a setuid binary and gain full root access. Exploitable with a simple 732-byte Python script, the vulnerability works reliably across essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. What makes it particularly dangerous is that it requires no race condition, works the same way across distributions, and carries cross-container implications. Patches are available now.

Read more
Screenshot 2026-04-30 124308

Feuding Ransomware Groups Leak Each Other's Data

Two emerging ransomware groups, 0APT and KryBit, have imploded after turning on each other and leaking one another's operational data. 0APT kicked off the feud by publishing data from KryBit's administrator panel — exposing its operators, affiliates, and victim negotiations — before KryBit retaliated by hacking 0APT and defacing its leak site. The counterattack dealt the heavier blow, revealing that all 190+ victims 0APT claimed in January 2026 were entirely fabricated. KryBit, which only emerged in late March offering RaaS kits across Windows, Linux, and ESXi, managed to cause significant damage to a rival operation in just weeks of existence.

Read more

Thanks for reading! Feel free to share this email with your network, and for more hypervisor and Linux cybersecurity updates, visit valicyber.com.

 

Website
LinkedIn
X

Vali Cyber, Inc., 529 Rookwood Place, Charlottesville, VA 22903, USA

Unsubscribe Manage preferences