Payload Ransomware Targets Windows and ESXi with Babuk Encryption

Payload Ransomware Targets Windows and ESXi with Babuk Encryption

First seen 17 Mar 2026, 10:36 UTC GbhackersCybersecuritynews 84% similarity 68.0

Article Content

Browse articles
ThreatCluster

A new ransomware strain named 'Payload' has emerged, posing a significant threat to organizations utilizing Windows and VMware ESXi systems. The group behind Payload has been active since at least February 17, 2026, and employs Babuk-style cryptography along with advanced anti-forensic techniques. Initial reports indicate that mid-to-large organizations across various sectors and countries are being targeted. The ransomware operates on a double-extortion model, demanding payment for decryption keys and threatening to leak sensitive data. As of now, specific numbers of victims or financial impacts have not been disclosed. The first victim was reported shortly after the ransomware's Windows binary was compiled. Security professionals are urged to remain vigilant as the group continues to expand its operations.

Key Points: • Payload ransomware targets both Windows and VMware ESXi environments. • The group has been active since February 17, 2026, using Babuk-style encryption. • It employs a double-extortion model, threatening data leaks alongside encryption.

ThreatCluster AI

Timeline

2026-02-17
Payload ransomware group becomes active.
2026-02-17
First victim of Payload ransomware reported.
2026-03-17
Gbhackers and Cybersecuritynews publish articles on Payload.

Community

Browse all →