Payload ransomware group has emerged as a new and aggressive threat actor targeting enterprise environments, leveraging encryption techniques similar to those found in the leaked Babuk ransomware source code. Active since at least February 17, 2026, the group has already listed multiple victims on its Tor-based leak site, signaling a rapidly expanding campaign.

Payload claimed responsibility for a cyberattack on Royal Bahrain Hospital, threatening to release 110 GB of stolen data unless a ransom is paid by March 23. The hospital is one of 12 organizations currently listed, with the group claiming to have exfiltrated over 2.6 TB of data across victims in seven countries. Targeted sectors include healthcare, telecommunications, energy, real estate, and agriculture, with a notable focus on organizations in emerging markets.

Payload operates using a double-extortion model, where attackers not only encrypt systems but also steal sensitive data and threaten to publish it if ransom demands are not met. This tactic significantly increases pressure on victims, combining operational disruption with reputational risk. Technical analysis reveals that the ransomware employs advanced cryptographic methods. It uses Curve25519 for secure key exchange and ChaCha20 for file encryption both widely recognized for their efficiency and strength. Each file is encrypted with a unique key generated from random data. The malware creates a per-file key pair and derives a shared secret using the attacker’s public key, which is then used directly as the encryption key. To accelerate the attack, files larger than 2 GB are only partially encrypted.

The operation is also notable for its cross-platform capabilities. Payload includes distinct variants for Windows and Linux/ESXi systems, allowing it to target both endpoints and enterprise virtualization infrastructure. The Windows version, approximately 395 KB in size, incorporates several anti-forensic techniques, such as wiping event logs, disabling Event Tracing for Windows (ETW), deleting shadow copies, and terminating backup or security-related services. Meanwhile, the lightweight ESXi variant around 40 KB focuses on VMware ESXi environments. It scans configuration files to identify virtual machine disk images and encrypts them directly, maximizing impact on enterprise operations.

Victims receive a ransom note directing them to a Tor-based negotiation portal, where payment terms are discussed. As proof of decryption capability, attackers offer to restore up to three small files for free. This campaign highlights the continued evolution of ransomware threats, combining sophisticated encryption, cross-platform targeting, and stealth techniques to maximize damage and financial gain.

Recommended Cyber News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com