Payload Ransomware - New Threat Uses Babuk-Style Encryption
Basically, a new ransomware called Payload locks files and demands money to unlock them.
A new ransomware called Payload is wreaking havoc across sectors. It targets mid-to-large organizations, stealing and encrypting critical data. With advanced techniques, the risk of data loss is significant. Organizations must take immediate action to protect themselves.
What Happened
A new ransomware strain named Payload has emerged, posing a significant threat to various organizations. It utilizes strong encryption techniques and advanced anti-forensic capabilities, making it particularly dangerous. The group behind Payload has been active since February 17, 2026, the same day its Windows binary was compiled. Within hours of its launch, the first victim appeared on its dark web leak site.
Since then, Payload has claimed 12 victims across seven countries, with a total of 2,603 gigabytes of allegedly stolen data. Target sectors include healthcare, real estate, energy, telecommunications, and agriculture, primarily in emerging markets. Payload operates on a double-extortion model, stealing data before encrypting files and threatening to publish that data unless a ransom is paid.
Who's Being Targeted
Payload primarily targets mid-to-large organizations. Its recent breach of the Royal Bahrain Hospital highlights its capabilities, with the group claiming 110 GB of stolen data and setting a deadline for ransom payment. Victims are directed to a Tor-based negotiation portal, where they receive unique credentials for discussions. Stolen files are posted on a separate Tor leak blog with a countdown timer, increasing pressure on victims to comply.
The targeted sectors are particularly vulnerable due to the critical nature of their operations. With healthcare and energy sectors often under-resourced in cybersecurity, the impact of such attacks can be devastating.
Signs of Infection
Payload employs sophisticated techniques that make detection challenging. It creates a mutex named MakeAmericaGreatAgain at startup, preventing multiple instances from running simultaneously. The ransomware also uses a unique file extension, .payload, which can serve as an indicator of compromise.
Additionally, Payload modifies four Windows event tracing functions to blind detection tools, making it difficult for security teams to identify its presence. Organizations should be vigilant for any process running commands like vssadmin to delete shadow copies, as this can indicate an ongoing attack.
How to Protect Yourself
To defend against Payload, organizations should maintain immutable offline backups and regularly test them. Relying solely on ETW-based monitoring is insufficient, given Payload's ability to disable it. Security teams must implement alerts for any suspicious activity, especially regarding event log wipes.
The ransomware's encryption scheme is particularly robust. It combines Curve25519 elliptic-curve key exchange with the ChaCha20 stream cipher, making file recovery without the operator's private key virtually impossible. Analysts found no cryptographic weaknesses, emphasizing the need for proactive measures to mitigate risks associated with this new threat.
Cyber Security News