Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files

A dangerous new ransomware strain called Payload has been quietly building a global victim list since it first appeared in February 2026.

The group launched its leak site with a high-profile target and has since expanded operations across Egypt, Mexico, Poland, and beyond. What makes this threat stand out is not just its reach, but the technical sophistication behind how it locks down victim files.

Payload ransomware targets Windows systems and appends the “.payload” extension to every file it encrypts. Victims are greeted with a ransom note called RECOVER_payload.txt and given 240 hours to begin negotiations.

By March 24, 2026, the group had already listed 50 victims on its leak site, ranging from real estate firms and logistics companies to manufacturers and technology providers.

The group appears to focus on industries where downtime creates immediate financial pressure. Logistics and transportation firms sit high on its target list, as do construction and real estate companies in the MENA region.

The malware carries a mutex named “MakeAmericaGreatAgain,” which prevents multiple instances from running on the same machine.

Before encryption begins, it deletes Windows shadow copies, patches event-tracing functions in memory, clears Windows Event Logs, and terminates dozens of database, backup, and office processes. These steps leave victims with very little to fall back on.

Organizations should monitor for RECOVER_payload.txt, the .payload file extension, and the log file written to ??C:payload.log. Security teams should also watch for sudden termination of backup and database services, as this often signals active ransomware deployment.

Maintaining offline backups and protecting shadow copy services at the infrastructure level are critical steps in limiting the damage this threat can cause.

Payload ransomware uses a per-file encryption approach that makes recovery without the operator’s private key essentially impossible. For each file, the malware generates a fresh 32-byte private key and a 12-byte nonce using Windows’ own CryptGenRandom function.

It then runs a Curve25519 ECDH operation, combining the victim’s temporary key with the operator’s embedded public key to produce a shared secret used directly as the ChaCha20 key.

Files are encrypted in one-megabyte chunks, and a 56-byte footer is written to the end of every file when the process completes.

This footer holds the victim’s temporary public key and the nonce, wrapped in RC4 encryption using the three-byte key “FBI”. The operator can use their private key to recover any file, but victims on their own have no path to decryption.

The ransomware supports three speed modes, automatically choosing between AVX2, SSE2, and a standard scalar path based on the victim’s processor. It also uses direct Windows NT API calls rather than standard user-mode functions, helping it bypass security tools that monitor higher-level activity.

Anti-Forensics Behavior and Evasion Techniques

One of the most alarming aspects of Payload ransomware is how aggressively it erases its own tracks. When the bypass-etw flag is active, the malware patches four key event-tracing functions inside Windows’ ntdll library, silencing the system’s ability to log what the ransomware is doing.

Combined with the deletion of all shadow copies before encryption begins, defenders are left with very little forensic evidence after an attack.

The ransomware loads the Windows event log API at runtime and clears every available channel, including Application, System, and Security logs.

It terminates over 30 processes and stops more than 40 services before locking files, targeting everything from SQL databases to Veeam and Acronis backup solutions. Once those protections are removed, encryption runs without interference.

The Payload should be tracked as an emerging ransomware operation with international ambitions. The report noted that monitoring its leak site, victim patterns, and future code changes will be essential as the group continues to grow.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
MD5	E0FD8FF6D39E4C11BDAF860C35FD8DC0	Payload ransomware sample hash
SHA1	DDE1B933AAD33C5D96C2E45AD46434A200DC46A6	Payload ransomware sample hash
SHA256	1CA67AF90400EE6CBBD42175293274A0F5DC05315096CB2E214E4BFE12FFB71F	Payload ransomware sample hash
Mutex	MakeAmericaGreatAgain	Ransomware single-instance mutex
File Extension	.payload	Extension appended to encrypted files
File Name	RECOVER_payload.txt	Ransom note dropped in affected directories
Recovery Label	g:payload	Key-handoff label written to recovery.ini
Log File Path	??C:payload.log	Operator activity log written during execution
VSS Deletion Command	/c vssadmin.exe delete shadows /all /quiet	Shadow copy destruction command
Tor Leak Site	payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion	Payload ransomware group’s victim blog
Tor Negotiation Portal	payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion	Ransom negotiation portal

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.