A new type of ransomware called "Payload" has become a major threat to businesses in many fields This article explores ransomware called payload. . It uses strong encryption and advanced anti-forensic tools to get around security measures.
The group behind it has been around since at least February 17, 2026, the same day its Windows binary was made, and the first victim showed up on its dark web leak site within hours of the site going live. Payload has since taken 12 victims in seven countries, and the operators say they have 2,603 gigabytes of stolen data. The group mainly works with mid- to large-sized companies in healthcare, real estate, energy, telecommunications, and agriculture, mostly in emerging markets.
Payload uses a double-extortion model, stealing data from victim networks, encrypting their files, and then threatening to publish that data unless a ransom is paid. Learn more about Patch management systems Preventing cyber attacks Organizations should keep backups that can't be changed and test them often because Payload targets and disables backup services from Veeam, Acronis, and BackupExec. Security teams shouldn't just use ETW-based monitoring because Payload patches four core ntdll functions to turn it off.
If any process runs vssadmin to delete shadow copies or wipes the entire event log, an alert should go off right away. The mutex MakeAmericaGreatAgain and the encrypted file extension.Payload and both are reliable host-based signs of compromise.
You can find the YARA detection rules for both the Windows and Linux builds on github.com/kirkderp/yara.
