A new ransomware operation called Payload is targeting enterprise environments, using encryption techniques similar to those in the leaked Babuk ransomware source code. The group has been active since at least February 17, 2026, and has already listed multiple victims on its Tor leak site.
On March 15, the attackers claimed responsibility for a breach at Royal Bahrain Hospital. They published a notice stating that 110 GB of stolen data would be released unless a ransom is paid by March 23. The hospital is one of 12 organizations listed on the leak portal.
Across these victims, the group claims to have exfiltrated more than 2.6 TB of data from organizations in seven countries.
The affected organizations span sectors such as healthcare, telecom, energy, real estate, and agriculture, with most victims in emerging markets.
The group runs a typical double-extortion model: attackers steal data, encrypt systems, and threaten to publish it if the ransom is not paid.
Babuk-Style Encryption and Secure Key Handling
Researchers who analyzed the Payload ransomware completely reversed its Windows binary. The malware uses Curve25519 for key exchange combined with ChaCha20 encryption to lock files.
According to the analysis, each file receives a unique encryption key generated using random data.
The malware generates a per-file Curve25519 key pair and calculates a shared secret using the attacker’s public key.
That secret is then used directly as the ChaCha20 encryption key. Files larger than 2 GB are only partially encrypted to speed up the attack process.
Cross-Platform Ransomware Targeting Servers
The Payload includes separate binaries for Windows and Linux/ESXi environments, enabling it to target enterprise servers and virtualization platforms.
The Windows variant, compiled on February 17, 2026, is about 395 KB and contains extensive anti-forensics features.
These include wiping Windows event logs, patching ETW tracing functions to evade security monitoring, deleting shadow copies, and killing services related to backups or security tools.
| Technical Feature | Payload Windows Variant | Payload Linux and ESXi Variant |
|---|---|---|
| Target Environment | Microsoft Windows platforms compiled securely with MSVC | Linux operating systems and VMware ESXi enterprise hypervisors |
| Binary File Size | Approximately 395 KB due to the static linking of the concurrency runtime | Around 40 KB as a dynamically linked, fully stripped ELF binary |
The Linux version, at only 40 KB, focuses mainly on VMware ESXi environments. It scans VMware configuration files to locate virtual machine disk images and encrypts them directly.
Victims receive a ransom note derp directing them to a Tor negotiation portal, where payments are arranged. The attackers allow victims to decrypt up to three small files for free as proof they control the decryption keys.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
