Payload Ransomware Encrypts Windows Files with ChaCha2
A dangerous new ransomware strain, dubbed Payload, has quietly amassed a global victim list since its emergence in February 2026. The group launched its leak site with a high-profile target and has...
A dangerous new ransomware strain, dubbed Payload, has quietly amassed a global victim list since its emergence in February 2026.
The group launched its leak site with a high-profile target and has since expanded operations across Egypt, Mexico, Poland, and beyond. What makes this threat stand out is not just its reach, but the technical sophistication behind how it locks down victim files.
Payload ransomware targets Windows systems and appends the “.payload” extension to every file it encrypts. Victims are greeted with a ransom note called RECOVER_payload.txt and given 240 hours to begin negotiations.
By March 24, 2026, the group had already listed 50 victims on its leak site, ranging from real estate firms and logistics companies to manufacturers and technology providers.
The group appears to focus on industries where downtime creates immediate financial pressure. Logistics and transportation firms sit high on its target list, as do construction and real estate companies in the MENA region.
Dark Atlas said in a report shared with Cyber Security News (CSN) that they conducted an in-depth technical analysis and found the group to be technically mature, with a well-designed encryption engine and aggressive steps taken to prevent detection.
The malware carries a mutex named “MakeAmericaGreatAgain,” which prevents multiple instances from running on the same machine.
Before encryption begins, it deletes Windows shadow copies, patches event-tracing functions in memory, clears Windows Event Logs, and terminates dozens of database, backup, and office processes. These steps leave victims with very little to fall back on.
Organizations should monitor for RECOVER_payload.txt, the .payload file extension, and the log file written to ??C:payload.log. Security teams should also watch for sudden termination of backup and database services, as this often signals active ransomware deployment.
Maintaining offline backups and protecting shadow copy services at the infrastructure level are critical steps in limiting the damage this threat can cause.
Payload Ransomware Uses ChaCha20 and Curve25519 ECDH
Payload ransomware uses a per-file encryption approach that makes recovery without the operator’s private key essentially impossible. For each file, the malware generates a fresh 32-byte private key and a 12-byte nonce using Windows’ own CryptGenRandom function.
It then runs a Curve25519 ECDH operation, combining the victim’s temporary key with the operator’s embedded public key to produce a shared secret used directly as the ChaCha20 key.
Files are encrypted in one-megabyte chunks, and a 56-byte footer is written to the end of every file when the process completes.
This footer holds the victim’s temporary public key and the nonce, wrapped in RC4 encryption using the three-byte key “FBI”. The operator can use their private key to recover any file, but victims on their own have no path to decryption.
The ransomware supports three speed modes, automatically choosing between AVX2, SSE2, and a standard scalar path based on the victim’s processor. It also uses direct Windows NT API calls rather than standard user-mode functions, helping it bypass security tools that monitor higher-level activity.
Anti-Forensics Behavior and Evasion Techniques
One of the most alarming aspects of Payload ransomware is how aggressively it erases its own tracks. When the bypass-etw flag is active, the malware patches four key event-tracing functions inside Windows’ ntdll library, silencing the system’s ability to log what the ransomware is doing.
Combined with the deletion of all shadow copies before encryption begins, defenders are left with very little forensic evidence after an attack.
The ransomware loads the Windows event log API at runtime and clears every available channel, including Application, System, and Security logs.
It terminates over 30 processes and stops more than 40 services before locking files, targeting everything from SQL databases to Veeam and Acronis backup solutions. Once those protections are removed, encryption runs without interference.
The Payload should be tracked as an emerging ransomware operation with international ambitions. The report noted that monitoring its leak site, victim patterns, and future code changes will be essential as the group continues to grow.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| MD5 | E0FD8FF6D39E4C11BDAF860C35FD8DC0 | Payload ransomware sample hash |
| SHA1 | DDE1B933AAD33C5D96C2E45AD46434A200DC46A6 | Payload ransomware sample hash |
| SHA256 | 1CA67AF90400EE6CBBD42175293274A0F5DC05315096CB2E214E4BFE12FFB71F | Payload ransomware sample hash |
| Mutex | MakeAmericaGreatAgain | Ransomware single-instance mutex |
| File Extension | .payload | Extension appended to encrypted files |
| File Name | RECOVER_payload.txt | Ransom note dropped in affected directories |
| Recovery Label | g:payload | Key-handoff label written to recovery.ini |
| Log File Path | ??C:payload.log | Operator activity log written during execution |
| VSS Deletion Command | /c vssadmin.exe delete shadows /all /quiet | Shadow copy destruction command |
| Tor Leak Site | payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion | Payload ransomware group’s victim blog |
| Tor Negotiation Portal | payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion | Ransom negotiation portal |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.