Payload is a new type of ransomware that is attacking businesses. It uses encryption methods that are similar to those in the leaked Babuk ransomware source code. The group has been around since at least February 17, 2026, and its Tor leak site already has a list of victims.

The attackers said they were responsible for a breach at Royal Bahrain Hospital on March 15. They put out a notice saying that 110 GB of stolen data would be made public unless a ransom is paid by March 23. The leak portal lists 12 organizations, and the hospital is one of them. The group says it has stolen more than 2.6 TB of data from organizations in seven countries that were victims of these attacks.

The organizations that were affected are in a wide range of fields, including healthcare, telecommunications, energy, real estate, and agriculture. Most of the victims are in emerging markets. The group uses a common double-extortion model: they steal data, encrypt systems, and say they will publish it if the ransom is not paid.

Secure Key Handling and Babuk-Style Encryption Researchers who looked into the Payload ransomware completely reversed its Windows binary. The malware locks files with ChaCha20 encryption and Curve25519 for key exchange. The study found that each file gets a different encryption key made from random data. The malware makes a Curve25519 key pair for each file and uses the attacker's public key to find a shared secret.

The ChaCha20 encryption key is then made from that secret.

To speed up the attack, files that are bigger than 2 GB are only partially encrypted. Cross-Platform Ransomware Attacking Servers The Payload has separate binaries for Windows and Linux/ESXi environments, which lets it attack enterprise servers and virtualization platforms. The Windows version, which was compiled on February 17, 2026, is about 395 KB and has a lot of anti-forensics features.

Some of these are deleting Windows event logs, patching ETW tracing functions to avoid security monitoring, deleting shadow copies, and stopping services that have to do with backups or security tools.

Technical Feature Payload Windows Variant Payload Linux and ESXi Variant Target Environment Microsoft Windows platforms compiled securely with MSVC Linux operating systems and VMware ESXi enterprise hypervisors Binary File Size Approximately 395 KB due to the static linking of the concurrency runtime Around 40 KB as a dynamically linked, fully stripped ELF binary The Linux version, at only 40 KB, focuses mainly on VMware ESXi environments. It looks through VMware configuration files for virtual machine disk images and encrypts them right away. Victims get a ransom note that tells them to go to a Tor negotiation portal, where they can make payments.

As proof that they have control over the decryption keys, the attackers let victims decrypt up to three small files for free.