A new ransomware variant named ‘Payload’ is posing a significant cybersecurity threat, employing Babuk-style encryption techniques and advanced anti-forensic measures against both Windows and ESXi systems. This new strain, active since at least February 17, 2026, has already targeted 12 organizations across seven countries, exfiltrating substantial amounts of data.
The ‘Payload’ ransomware group primarily targets mid-to-large enterprises in critical sectors such as healthcare, real estate, energy, telecommunications, and agriculture, with a notable focus on emerging markets. The operators utilize a double-extortion strategy, stealing sensitive data before encrypting files, and then threatening public release unless a ransom is paid. Victims are directed to a Tor-based negotiation portal, while stolen data is posted on a separate Tor leak blog, often accompanied by a countdown timer.
One high-profile claim made by the group was the breach of Royal Bahrain Hospital on March 15, 2026, where they alleged to have stolen 110 GB of data and set a response deadline of March 23. Researchers at Derp.Ca conducted a comprehensive reverse-engineering analysis of both Windows and Linux versions of the malware, identifying its lineage and unique capabilities.
Inside Payload’s Encryption: Curve25519 Meets ChaCha20
The encryption mechanism employed by ‘Payload’ makes file recovery without the attackers’ private key virtually impossible. The ransomware combines Curve25519 elliptic-curve key exchange with the ChaCha20 stream cipher to encrypt each file with a distinct key. For every file, a new Curve25519 key pair and a 12-byte nonce are generated using `CryptGenRandom`. An ECDH key agreement between this per-file key and the operator’s hardcoded public key establishes a shared secret, which directly serves as the ChaCha20 encryption key.
For particularly large files exceeding 2 GB, ‘Payload’ only encrypts 20% of the data, distributed in evenly spaced 1 MB chunks. This approach allows the ransomware to achieve a faster encryption speed on systems with extensive storage. Following the encryption of each file, a 56-byte footer is appended, encrypted using RC4 with the three-byte key `FBI`. This footer contains the per-file public key and nonce necessary for future decryption. Critically, once the footer is written, the per-file private key is promptly zeroed out of memory and is not saved to disk, according to Derp.Ca analysts. Their analysis revealed no cryptographic weaknesses, backdoors, or exploitable flaws, meaning encrypted files will remain inaccessible without the operator’s private Curve25519 key.
The ‘Payload’ ransomware also exhibits advanced anti-forensic capabilities that distinguish it from its Babuk origins. Seventeen VirusTotal engines flagged the Windows sample as Babuk, indicating a connection to the Babuk source code that became publicly available in September 2021. However, ‘Payload’ is not a mere replication. Its developers have replaced Babuk’s original HC-128 cipher with ChaCha20 and introduced new anti-forensic features not present in the original code. These include patching four Windows event tracing functions in `ntdll.dll` to evade endpoint detection tools, wiping all Windows event logs upon completion of encryption, and utilizing an NTFS Alternate Data Stream rename trick to silently delete the malware binary without leaving a traceable child process or temporary file. These enhancements are designed to significantly complicate post-incident forensic investigations.
Additionally, the ransomware creates a mutex named `MakeAmericaGreatAgain` at startup, serving as a single-instance lock to prevent multiple instances of the malware from running concurrently on the same system. This mutex, along with the encrypted file extension `.payload`, are considered reliable host-based indicators of compromise. YARA detection rules for both Windows and Linux builds are publicly accessible on GitHub.
To mitigate the threat posed by ‘Payload,’ organizations are strongly advised to maintain immutable offline backups and conduct regular testing of these backups, as the ransomware has been observed to target and disable backup services from Veeam, Acronis, and BackupExec. Security teams should diversify their monitoring strategies beyond ETW-based solutions given ‘Payload’s ability to disable them. Any process attempting to delete shadow copies using `vssadmin` or initiating a full event log wipe should trigger an immediate alert.
The ongoing activity of ‘Payload’ with its advanced encryption and evasion techniques necessitates continuous vigilance and robust cybersecurity defenses. The group’s consistent targeting of critical infrastructure and financial data suggests a determined and sophisticated threat actor, making recovery without ransom highly improbable given the current state of discovered vulnerabilities.