Socprime
Payload Ransomware Targets Global Organizations with ChaCha20 Encryption
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Payload ransomware, first identified in February 2026, has rapidly expanded its operations, targeting logistics, real estate, and manufacturing sectors worldwide. The malware employs ChaCha20 encryption and Curve25519 ECDH for file encryption, appending the .payload extension to affected files. Its anti-forensic techniques include deleting VSS shadow copies and clearing event logs, making recovery difficult. The group operates via Tor for ransom negotiations and data leaks, with notable activity reported in Egypt, Mexico, and Poland. Defenders are advised to monitor for specific indicators such as the MakeAmericaGreatAgain mutex and the RECOVER_payload.txt ransom note. Immediate isolation of affected hosts and preservation of logs are critical for incident response. The ransomware's sophisticated methods pose a significant threat to organizations that fail to implement robust cybersecurity measures.
Key Points: • Payload ransomware uses ChaCha20 and Curve25519 for file encryption. • The malware employs aggressive anti-forensic techniques to hinder recovery efforts. • Organizations in logistics, real estate, and manufacturing are primary targets.