A dangerous new ransomware operation called Payload has emerged as a serious global threat, combining military-grade encryption with aggressive anti-forensics techniques that leave victims with almost no recovery options. Active since February 2026, the group has already listed more than 50 victims on its dedicated leak site, targeting industries where downtime creates immediate financial pressure.
Global Reach and Target Profile
The Payload ransomware group has expanded operations across multiple continents, with confirmed victims in Egypt, Mexico, Poland, and beyond. The group deliberately targets sectors where business interruption is most costly: logistics and transportation firms, construction and real estate companies, manufacturers, and technology providers. This strategy maximizes pressure on victims to pay quickly.
Victims are presented with a ransom note called RECOVER_payload.txt and given a 240-hour window to begin negotiations through a Tor-hosted negotiation portal. By March 24, 2026, the leak site had already grown to 50 listed victims — a sign of rapid operational scaling.
ChaCha20 and Curve25519 ECDH: A Near-Unbreakable Encryption Engine
What sets Payload apart technically is the sophistication of its encryption scheme. For every file it processes, the malware generates a fresh 32-byte private key and 12-byte nonce using the Windows CryptGenRandom function. It then performs a Curve25519 Elliptic Curve Diffie-Hellman (ECDH) key exchange, combining the victim temporary key with the operator embedded public key to derive a shared secret used directly as the ChaCha20 encryption key.
Files are encrypted in one-megabyte chunks, and a 56-byte footer is appended to each encrypted file. This footer contains the victim temporary public key and nonce, wrapped in RC4 encryption using the three-byte key “FBI.” Without the operator private key, decryption is computationally infeasible. Per-file key generation also means there is no single master key to recover.
The ransomware auto-detects CPU capabilities — AVX2, SSE2, or standard scalar — and selects the fastest available encryption path. It also makes direct Windows NT API calls rather than using standard user-mode functions, a technique designed to evade security tools that monitor higher-level activity.
Anti-Forensics and Defense Evasion
Before a single file is encrypted, Payload ransomware systematically destroys the forensic evidence defenders would rely on during an investigation:
- Shadow copy deletion: All Windows Volume Shadow Copies are deleted via vssadmin.exe, eliminating the most common recovery path.
- ETW patching: When the bypass-etw flag is active, the malware patches four key event-tracing functions inside ntdll.dll, blinding Windows logging during the attack.
- Event log clearing: All Windows Event Log channels including Application, System, and Security are cleared at runtime.
- Process and service termination: Over 30 processes and more than 40 services are killed before encryption begins, including SQL databases, Veeam, and Acronis backup solutions.
The malware also uses a mutex named MakeAmericaGreatAgain to prevent multiple concurrent instances running on the same machine.
Indicators of Compromise
Security teams should monitor for the following indicators associated with Payload ransomware:
- File extension:
.payloadappended to encrypted files - Ransom note filename:
RECOVER_payload.txt - Log file path:
C:\payload.log - Mutex:
MakeAmericaGreatAgain - SHA256 hash:
1CA67AF90400EE6CBBD42175293274A0F5DC05315096CB2E214E4BFE12FFB71F - Tor leak site:
payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion
Defensive Recommendations
Organizations should take immediate steps to reduce exposure to this threat:
- Maintain offline, immutable backups that cannot be reached by ransomware running on network-connected systems.
- Protect VSS and shadow copy infrastructure at the hypervisor or storage level, not just the OS level.
- Deploy EDR solutions that monitor for NT-layer API calls and unusual process termination patterns.
- Segment backup and database servers from general corporate networks.
- Monitor for sudden clearing of Windows Event Logs, which is a strong indicator of active compromise.
Dark Atlas, which conducted the in-depth technical analysis shared with Cyber Security News, notes that the Payload group should be tracked as an emerging ransomware operation with growing international ambitions. Its technically mature encryption engine and aggressive evasion capabilities make it a credible threat to organizations of all sizes.