Back

Payload Ransomware Targets Global Organizations with ChaCha20 Encryption

Severity: High (Score: 72.5)

Sources: Cybersecuritynews, Socprime

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: payload, ransomware, uses, chacha20, curve25519, ecdh, windows

Severity indicators: ransomware, ics

Summary

Payload ransomware, first identified in February 2026, has rapidly expanded its operations, targeting logistics, real estate, and manufacturing sectors worldwide. The malware employs ChaCha20 encryption and Curve25519 ECDH for file encryption, appending the .payload extension to affected files. Its anti-forensic techniques include deleting VSS shadow copies and clearing event logs, making recovery difficult. The group operates via Tor for ransom negotiations and data leaks, with notable activity reported in Egypt, Mexico, and Poland. Defenders are advised to monitor for specific indicators such as the MakeAmericaGreatAgain mutex and the RECOVER_payload.txt ransom note. Immediate isolation of affected hosts and preservation of logs are critical for incident response. The ransomware's sophisticated methods pose a significant threat to organizations that fail to implement robust cybersecurity measures. Key Points: • Payload ransomware uses ChaCha20 and Curve25519 for file encryption. • The malware employs aggressive anti-forensic techniques to hinder recovery efforts. • Organizations in logistics, real estate, and manufacturing are primary targets.

Detailed Analysis

**Impact** Payload ransomware has targeted global organizations since February 2026, affecting sectors including logistics, real estate, and manufacturing. Victims span multiple continents, with confirmed incidents in Egypt, Mexico, and Poland. The ransomware encrypts files and appends the .payload extension, risking critical business data and operational disruption. The group operates a public leak site to pressure victims, increasing exposure of sensitive information. **Technical Details** Payload ransomware encrypts Windows files using ChaCha20 with a per-file Curve25519 ECDH key exchange, appending a 56-byte RC4-encrypted footer containing the victim’s public key and an FBI marker. It employs anti-forensic techniques such as ETW patching, deletion of VSS shadow copies via vssadmin, clearing Windows event logs, and terminating a predefined kill list of processes and services. Communication and data leak publication occur through Tor onion sites. Key IOCs include the MakeAmericaGreatAgain mutex, .payload file extensions, and the RECOVER_payload.txt ransom note. **Recommended Response** Isolate infected hosts immediately and preserve volatile memory for forensic analysis. Block execution of vssadmin.exe and monitor for ETW patching, suspicious NT API file I/O, and forced termination of critical services. Restrict network access to known Tor onion addresses linked to the group and detect creation of .payload files and the MakeAmericaGreatAgain mutex. Maintain offline backups and limit reliance on shadow copies to enable recovery without paying ransom. Share indicators with threat intelligence teams and block associated command-and-control infrastructure.

Source articles (2)

  • Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files — Cybersecuritynews · 2026-05-26
    A dangerous new ransomware strain called Payload has been quietly building a global victim list since it first appeared in February 2026. The group launched its leak site with a high-profile target an…
  • Payload Ransomware Uses ChaCha20 and Aggressive Anti-Forensics — Socprime · 2026-05-26
    Payload is a Windows ransomware family that encrypts files with ChaCha20 and uses a per-file Curve25519 ECDH exchange, then appends the .payload extension to impacted data. The malware drops a RECOVER…

Timeline

  • 2026-02-01 — Payload ransomware first detected: Payload ransomware was first identified in February 2026, quickly gaining traction across various sectors.
  • 2026-05-26 — Ransomware expands global victim list: Payload ransomware has been linked to victims in Egypt, Mexico, and Poland, indicating a broad operational scope.
  • 2026-05-26 — Defensive measures recommended: Experts recommend monitoring specific indicators and isolating affected hosts to mitigate the ransomware's impact.

Related entities

  • Ransomware (Attack Type)
  • Egypt (Country)
  • Mexico (Country)
  • Poland (Country)
  • Manufacturing (Industry)
  • Payload Ransomware (Ransomware Group)
  • Payload (Ransomware Group)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1070.001 - Clear Windows Event Logs (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1490 - Inhibit System Recovery (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • Windows (Platform)
  • Cmd.exe (Tool)
  • PowerShell (Tool)
  • Vssadmin (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed