A dangerous new ransomware strain called Payload has been quietly building a global victim list since it first appeared in February 2026. <\/p>\n
The group launched its leak site with a high-profile target and has since expanded operations across Egypt, Mexico, Poland, and beyond. What makes this threat stand out is not just its reach, but the technical sophistication behind how it locks down victim files.<\/a><\/p>\n Payload ransomware targets Windows systems and appends the \u201c.payload\u201d extension to every file it encrypts. Victims are greeted with a ransom note called RECOVER_payload.txt and given 240 hours to begin negotiations. <\/p>\n By March 24, 2026, the group had already listed 50 victims on its leak site, ranging from real estate firms and logistics companies to manufacturers and technology providers.<\/a><\/p>\n The group appears to focus on industries where downtime creates immediate financial pressure. Logistics and transportation firms sit high on its target list, as do construction and real estate companies in the MENA region. <\/p>\n Dark Atlas\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that they conducted an in-depth technical analysis and found the group to be technically mature, with a well-designed encryption engine and aggressive steps taken to prevent detection.<\/a><\/p>\n The malware carries a mutex named \u201cMakeAmericaGreatAgain,\u201d which prevents multiple instances from running on the same machine. <\/p>\n Before encryption begins, it deletes Windows shadow copies, patches event-tracing functions in memory, clears Windows Event Logs, and terminates dozens of database, backup, and office processes. These steps leave victims with very little to fall back on.<\/a><\/p>\n Organizations should monitor for RECOVER_payload.txt, the .payload file extension, and the log file written to ??C:payload.log. S<\/a>ecurity teams should also watch for sudden termination of backup<\/a> and database services, as this often signals active ransomware deployment. <\/p>\n Maintaining offline backups and protecting shadow copy services at the infrastructure level are critical steps in limiting the damage this threat can cause.<\/a><\/p>\n Payload ransomware uses a per-file encryption approach that makes recovery without the operator\u2019s private key essentially impossible. For each file, the malware generates a fresh 32-byte private key and a 12-byte nonce using Windows\u2019 own CryptGenRandom function. <\/p>\n It then runs a Curve25519 ECDH operation, combining the victim\u2019s temporary key with the operator\u2019s embedded public key to produce a shared secret used directly as the ChaCha20 key.<\/p>\n Files are encrypted in one-megabyte chunks, and a 56-byte footer is written to the end of every file when the process completes. <\/p>\n This footer holds the victim\u2019s temporary public key and the nonce, wrapped in RC4 encryption using the three-byte key \u201cFBI\u201d. The operator can use their private key to recover any file, but victims on their own have no path to decryption.<\/a><\/p>\n The ransomware supports three speed modes, automatically choosing between AVX2, SSE2, and a standard scalar path based on the victim\u2019s processor. It also uses direct Windows NT API calls rather than standard user-mode functions, helping it bypass security tools that monitor higher-level activity<\/a>.<\/a><\/p>\n One of the most alarming aspects of Payload ransomware is how aggressively it erases its own tracks. When the bypass-etw flag is active, the malware patches four key event-tracing functions<\/a> inside Windows\u2019 ntdll library, silencing the system\u2019s ability to log what the ransomware is doing.<\/p>\n Combined with the deletion of all shadow copies before encryption begins, defenders are left with very little forensic evidence after an attack.<\/p>\n The ransomware loads the Windows event log API at runtime and clears every available channel, including Application, System, and Security logs. <\/p>\n It terminates over 30 processes and stops more than 40 services before locking files, targeting everything from SQL databases to Veeam and Acronis backup solutions. Once those protections are removed, encryption runs without interference.<\/a><\/p>\n The Payload should be tracked as an emerging ransomware operation with international ambitions. The report noted that monitoring its leak site, victim patterns, and future code changes will be essential as the group continues to grow.<\/a><\/p>\n Indicators of Compromise (IoCs):-<\/strong><\/p>\n![\"Victims](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg-DqSYFTW0EcClVvn5KKjKmB7XPHl-3sUNfpid-GMI0ZHOIpplJS1cYoACSiGRJ2VcD2MEZ2NWgbheNlFNICAPsttWWYIfkwBBIZn-JWz2DgXd6N3vloiQgcKJaLgYxhboFkTYhDTM0pd_oCuE7i_jKJG79vMgwOGcrDoepXsmsyQPMGjSvM8XMgeOQxI\/s16000\/Victims%2520by%2520country%2520%28Source%2520-%2520Dark%2520Atlas%29.webp?ssl=1\")
Payload Ransomware Uses ChaCha20 and Curve25519 ECDH<\/strong><\/h2>\n
![\"Mutex](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgJiBNjGsracwPgv1CQtWTDrEK8Jjw-rbRbPCAhMkbLvyXPLxQ5Hqe3WjZtcCYWIxVJuF8heOQCkPt-7WSce9otbxzMWQkok1MNS4w16GZ3bb0pI6eqwcNvag58c_b4u9K67O8RrQJ82rTDvlAlkIDHCNNZkqN-zRGx5trgbZPgAiZKX6IVuyE3p_gatYI\/s16000\/Mutex%2520and%2520Single-Instance%2520Check%2520%28Source%2520-%2520Dark%2520Atlas%29.webp?ssl=1\")
Anti-Forensics Behavior and Evasion Techniques<\/strong><\/h2>\n
![\"Per-File](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3beUzYd-HIrSaV8b7XZ47M449cD8tO3qKxU0C-9t-1I8mN_QT5qKmAwcq7yFeAsndM9Z2i2YPP8yJ5ogLdAwzhx2wpdiOjNP2aqbfVAfm2Y1DBEbfRyI4_xKYpr55eVJ-gcDLW99cMSW8KH6q5reB0piZZBQdZaN6z9HUdu256jVZb5t2cQefZbvAox4\/s16000\/Per-File%2520Key-Handoff%2520Design%2520%28Source%2520-%2520Dark%2520Atlas%29.webp?ssl=1\")