A new ransomware variant known as ‘Payload’ is posing a significant threat to organizations across various industries. Utilizing robust encryption strategies and sophisticated anti-forensic measures, this malware has already impacted multiple sectors worldwide.
Emergence and Impact of Payload Ransomware
Active since February 17, 2026, the group behind Payload wasted no time in making its mark, with the first victim appearing on their dark web leak site shortly after the ransomware’s Windows binary was compiled. To date, the attackers have targeted 12 organizations in seven countries, amassing 2,603 gigabytes of purportedly stolen data.
The ransomware primarily targets mid-to-large organizations in industries such as healthcare, real estate, energy, telecommunications, and agriculture, focusing on emerging markets. Utilizing a double-extortion model, Payload not only encrypts files but also exfiltrates data, threatening to release it unless a ransom is paid.
Technical Analysis and Unique Features
On March 15, 2026, Payload claimed responsibility for a significant data breach at the Royal Bahrain Hospital, alleging the theft of 110 GB of data. The deadline for a response was set for March 23. Researchers at Derp.Ca have conducted a comprehensive reverse-engineering analysis of both the Windows and Linux variants, noting that seventeen VirusTotal engines identified the Windows sample as Babuk.
Despite its origins in Babuk, Payload is a distinct variant. Developers have replaced the HC-128 cipher with ChaCha20 and introduced anti-forensic techniques, such as patching Windows event tracing functions and deleting logs post-encryption. These advancements complicate forensic investigations significantly.
Encryption Mechanism and Security Implications
Payload’s encryption mechanism is particularly concerning due to its use of the Curve25519 elliptic-curve key exchange paired with the ChaCha20 stream cipher, ensuring that file recovery without the operator’s private key is impossible. Each file is encrypted with a unique key, and for files over 2 GB, only 20% is encrypted, optimizing performance on large storage systems.
After encryption, a 56-byte RC4-encrypted footer is appended to each file, containing critical decryption information. The per-file private key is immediately erased from memory once used, leaving no cryptographic weaknesses or paths for decryption without the operator’s private key.
Recommendations for Organizations
Organizations are advised to maintain immutable offline backups and test them regularly, as Payload specifically targets backup services from major providers like Veeam, Acronis, and BackupExec. Security teams should not rely on ETW-based monitoring alone due to Payload’s ability to disable such functions. Instead, any processes attempting to delete shadow copies or wipe event logs should trigger alerts.
The mutex ‘MakeAmericaGreatAgain’ and the ‘.payload’ file extension are key indicators of compromise. YARA detection rules are available for both Windows and Linux builds, offering additional means of threat detection.
