The group behind it has been active since at least February 17, 2026 — the same day its Windows binary was compiled — and the first victim appeared on its dark web leak site within hours of launch.
Since then, Payload has claimed 12 victims across seven countries, with a total of 2,603 gigabytes of allegedly stolen data in the hands of the operators.
The group focuses on mid-to-large organizations in healthcare, real estate, energy, telecommunications, and agriculture, primarily in emerging markets.
Payload runs a double-extortion model, stealing data from victim networks before encrypting their files, then threatening to publish that data unless a ransom is paid.
Victims are directed to a Tor-based negotiation portal with unique per-victim credentials, while stolen files are posted on a separate Tor leak blog with a countdown timer.
On March 15, 2026, Payload publicly claimed a breach of Royal Bahrain Hospital, alleging 110 GB of stolen data and setting a March 23 response deadline.
Derp.Ca researchers identified the malware through a complete reverse-engineering analysis of both the Windows binary and the Linux ELF variant.
They noted that seventeen VirusTotal engines flagged the Windows sample as Babuk, linking it to the Babuk source code that leaked publicly in September 2021.
The ransomware also creates a mutex named MakeAmericaGreatAgain at startup, a single-instance lock that prevents multiple copies of the malware from running on the same machine at the same time.
Despite its Babuk origins, Payload is not a straightforward copy. The developer replaced the original HC-128 cipher with ChaCha20 and added anti-forensic capabilities that never existed in the original Babuk code.
These include patching four Windows event tracing functions in ntdll.dll to blind endpoint detection tools, wiping all Windows event logs after encryption completes, and using an NTFS Alternate Data Stream rename trick to silently delete the binary without leaving a child process or temporary file behind.
These additions make forensic investigation meaningfully harder for any team responding after the fact.
The encryption scheme is what makes Payload truly dangerous, and it is engineered so that file recovery without the operator’s private key is simply not possible.
The ransomware pairs Curve25519 elliptic-curve key exchange with the ChaCha20 stream cipher to lock each file with a completely unique key. For every file, a fresh Curve25519 key pair and 12-byte nonce are generated using CryptGenRandom.
An ECDH key agreement between the per-file key and the operator’s hardcoded public key produces a shared secret, used directly as the ChaCha20 encryption key.
Files larger than 2 GB receive only 20% encryption — spread across evenly spaced 1 MB chunks — giving the ransomware a speed advantage on large storage systems.
After each file is locked, a 56-byte footer is attached to it, RC4-encrypted with the three-byte key FBI. This footer stores the per-file public key and nonce that the operator needs to later reverse the encryption.
The moment the footer is written, the per-file private key is immediately zeroed out of memory and never saved to disk.
Derp.Ca analysts found no cryptographic weakness in the implementation — no backdoor, no flaw, and no decryption path. Without the operator’s Curve25519 private key, every encrypted file remains permanently out of reach.
Organizations should maintain immutable offline backups and test them regularly, as Payload targets and disables backup services from Veeam, Acronis, and BackupExec.
Security teams should not rely solely on ETW-based monitoring, since Payload patches four core ntdll functions to disable it. Any process running vssadmin to delete shadow copies or issuing a full event log wipe should trigger an immediate alert.
The mutex MakeAmericaGreatAgain and the encrypted file extension .payload are both reliable host-based indicators of compromise. YARA detection rules for both the Windows and Linux builds are publicly available at github.com/kirkderp/yara.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New ‘Payload’ Ransomware Uses Babuk-Style Encryption Against Windows and ESXi Systems appeared first on Cyber Security News.
Sony said it is continuing to "evolve" its PlayStation Portal remote player, with a new…
Spoilers follow for the first three seasons of Prime Video’s Invincible. Season 4 debuts on…
The Rocketeer continues to soar even after the tragic passing of creator Dave Stevens. IGN…
Hideo Kojima has confirmed that players can expect a slew of new features for Death…
50 Years Ago A 16-year-old senior at Amherst Regional High School yesterday was named the…
BOSTON — As attempts to restrict books rise across the nation, authors, librarians and free…
This website uses cookies.