Payload Ransomware Targets Global Organizations with ChaCha20 Encryption

Payload Ransomware Targets Global Organizations with ChaCha20 Encryption

First seen 26 May 2026, 18:29 UTC CybersecuritynewsSocprime 86% similarity 72.5

Article Content

Browse articles
ThreatCluster

Payload ransomware, first identified in February 2026, has rapidly expanded its operations, targeting logistics, real estate, and manufacturing sectors worldwide. The malware employs ChaCha20 encryption and Curve25519 ECDH for file encryption, appending the .payload extension to affected files. Its anti-forensic techniques include deleting VSS shadow copies and clearing event logs, making recovery difficult. The group operates via Tor for ransom negotiations and data leaks, with notable activity reported in Egypt, Mexico, and Poland. Defenders are advised to monitor for specific indicators such as the MakeAmericaGreatAgain mutex and the RECOVER_payload.txt ransom note. Immediate isolation of affected hosts and preservation of logs are critical for incident response. The ransomware's sophisticated methods pose a significant threat to organizations that fail to implement robust cybersecurity measures.

Key Points: • Payload ransomware uses ChaCha20 and Curve25519 for file encryption. • The malware employs aggressive anti-forensic techniques to hinder recovery efforts. • Organizations in logistics, real estate, and manufacturing are primary targets.

ThreatCluster AI

Timeline

2026-02-01
Payload ransomware first detected
Payload ransomware was first identified in February 2026, quickly gaining traction across various sectors.
Socprime
2026-05-26
Ransomware expands global victim list
Payload ransomware has been linked to victims in Egypt, Mexico, and Poland, indicating a broad operational scope.
Cybersecuritynews
2026-05-26
Defensive measures recommended
Experts recommend monitoring specific indicators and isolating affected hosts to mitigate the ransomware's impact.
Socprime

Community

Browse all →