Executive Summary & Group Overview
Payload is a Babuk-derived ransomware operation that emerged in February 2026, running a classic double-extortion model against Windows and VMware ESXi environments. Data is exfiltrated before encryption, then victims are pressured through a Tor negotiation portal and a separate Tor leak blog with countdown timers. Encrypted files receive the .payload extension and a ransom note named RECOVER_payload.txt is dropped. The operation is technically mature from its first build: per-file Curve25519 plus ChaCha20 encryption, ETW patching, event-log wiping, NTFS Alternate Data Stream self-deletion, and partial encryption of large files for speed.
The group is small and recent. Its leak site went live within hours of the first build and reached roughly a dozen victims across seven countries inside its first month, growing to 16 or more by late March 2026 and remaining active through at least June 2026. No major incident-response vendor (CrowdStrike, Mandiant, Recorded Future, Microsoft, Unit 42, Secureworks) has issued a group-specific tracking codename; open sources track it generically as "Payload."
| Metric | Value | Confidence |
|---|---|---|
| First observed | 17 February 2026 (Windows binary compile date, first victim same week) | CONFIRMED |
| Leak-site victims | 12 at first analysis (15 Mar 2026); 16+ by late March; active June 2026 | CREDIBLE |
| Countries affected | 7 (emerging markets emphasis) | CONFIRMED |
| Data claimed stolen | 2,603 GB (~2.6 TB) at March 2026 snapshot | CREDIBLE |
| Platforms | Windows PE and Linux/ESXi ELF | CONFIRMED |
| Decryptor available | None (no implementation flaw identified; not listed on No More Ransom) | CONFIRMED |
| Confirmed revenue | Unknown (no published on-chain analysis; no wallet in note) | n/a, gap |
| LE disruption status | None (no arrests, indictments, sanctions, or takedowns) | CONFIRMED |
| Attribute | Detail |
|---|---|
| Vendor tracking names | Tracked generically as "Payload" by SOC Prime, Ransomware.live, WatchGuard, Derp.ca. No group-specific codename from CrowdStrike, Mandiant, Recorded Future, Microsoft, Unit 42, or Secureworks as of June 2026. |
| Lineage | Babuk-derived (leaked September 2021 builder). 17 VirusTotal engines flag the binary as Babuk. Distinct family, not an announced rebrand of a named prior group. |
| Operational model | Double extortion. RaaS branding is repeated by some news outlets but UNVERIFIED: no affiliate panel or builder evidence in open source. Working assessment: closed crew or limited builder operation. |
| Extortion mechanic | Exfiltration before encryption; Tor negotiation portal with per-victim credentials; separate Tor leak blog with countdown timers. |
| File markers | Extension .payload; note RECOVER_payload.txt; mutex MakeAmericaGreatAgain; footer marker payload\0. |
| Encryption | Per-file Curve25519 ECDH + ChaCha20; shared secret used directly as key; no decryptor. |
| Assessed jurisdiction | Unestablished. Babuk heritage hints at Eastern European origin but is not attribution. No CIS kill-switch documented. |
| Named high-profile victim | Royal Bahrain Hospital (15 Mar 2026), 110 GB claimed, 23 Mar deadline. |
Lineage & Organizational Heritage
Payload was first observed in mid-February 2026. The analyzed Windows binary was compiled on 17 February 2026 (08:39 UTC), and the first victim appeared on the leak site within hours. Public technical write-ups followed in March 2026. Trackers (Ransomware.live, WatchGuard) and follow-on reporting continue to record active postings through at least June 2026.
The Babuk linkage is the best-supported claim in the profile. It rests on direct binary comparison against the leaked Babuk source, plus broad anti-virus consensus. No major vendor publicly disputes the Babuk-derived characterization.
Payload inherits Babuk code, not Conti code. Accordingly, Conti-cluster parent designations do not apply to this profile. Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) describe the parent Conti organization and are not relevant to Babuk-derived families. Babuk's own operators were tracked separately (for example Secureworks Gold Northfield); that designation attaches to the original Babuk crew, not to Payload.
For Payload itself, no group-specific vendor codename exists in open source as of June 2026. The Babuk-derivative assessment is made explicitly by Derp.ca and independent researchers and echoed by Ransomware.live; it is not yet framed as a formal lineage finding by large IR vendors such as Mandiant or CrowdStrike.
Operational Model
Several news outlets describe Payload as ransomware-as-a-service, but that label is repeated without supporting evidence. The primary static analysis is explicit that no public source shows an affiliate program, recruitment, revenue-share terms, or a builder panel. Treat RaaS branding as unverified.
The one ambiguous signal toward multiple operators is that the Windows and Linux/ESXi builds carry different embedded operator public keys, consistent with per-campaign or per-affiliate key generation. This is suggestive but not conclusive. On current evidence, the working assessment is a small closed crew or a limited builder-based operation rather than a broad RaaS marketplace.
- Exfiltration first: data is stolen before encryption, creating two leverage points.
- Encryption: files locked with the .payload extension; recovery infeasible without the operator key.
- Negotiation portal: each victim receives unique credentials for a Tor portal. Up to 3 free file decryptions (15 MB each) are offered as proof of capability.
- Publication threat: a separate Tor leak blog publishes stolen data under countdown timers if payment is not made.
- Offline operation: the payload stage has no command-and-control traffic; the binary is fully self-contained.
The decrypted ransom note frames a 72-hour initial pressure window (file-tree publication and naming of the company) and a 240-hour total negotiation window. No wallet address appears in the note; payment is arranged exclusively through the Tor portal. There is no public corpus of negotiation transcripts yet, so demand ranges, discounting behavior, and payment timing remain intelligence gaps.
| Service | Onion address | Notes |
|---|---|---|
| Negotiation portal | payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd.onion | Per-victim credentials; exposes no Server header |
| Leak blog | payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd.onion | nginx with hardened security headers; different backend from the portal |
Both sites were confirmed reachable as of mid-March 2026. The distinct backends (portal versus nginx leak blog) indicate deliberate separation of negotiation and publication infrastructure.
Technical Capabilities
| Field | Windows PE | Linux/ESXi ELF |
|---|---|---|
| SHA-256 | 1ca67af9...12ffb71f | bed8d175...047a316 |
| Type | PE32 console, MSVC (VS2019) | ELF 64-bit, stripped |
| Size | ~395 KB | ~40 KB |
| Compiled / first seen | 2026-02-17 08:39 UTC | VT first seen 2026-02-17 |
| Mutex | MakeAmericaGreatAgain | None |
| VT detection | 57/76 | 8/76 |
The Windows build is roughly ten times larger than the Linux build, mostly due to static MSVC runtime linking plus the service/process kill lists, event-log wiper, and ETW patcher, none of which exist in the ESXi build.
Public analysis focuses on the payload stage. No specific initial access vector (RDP, phishing, VPN/edge-device exploitation) and no exploited CVE have been documented for Payload. This is a primary gap. No Payload-specific CVE exists to verify against the NVD.
- Per-file keypair: CryptGenRandom produces a 32-byte Curve25519 private key (clamped) and a 12-byte ChaCha20 nonce for each file.
- ECDH: the shared secret of the per-file private key and the embedded operator public key is used directly as the ChaCha20 key, with no key-derivation step.
- Cipher: ChaCha20 in 1 MB chunks. Files over 2 GB are partially encrypted (about 20%, in evenly spaced 1 MB chunks) for speed on large volumes.
- Footer: a 56-byte footer is appended, RC4-encrypted with the 3-byte key "FBI"; it holds the per-file public key, nonce, and a payload\0 marker.
- Key hygiene: the per-file private key is zeroed from memory immediately after the footer is written and never touches disk.
- ETW patching: patches four ntdll functions (EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, EtwRegister) to return immediately, blinding EDR that relies on ETW.
- Event-log wipe: loads wevtapi.dll at runtime and clears every Windows event-log channel via EvtClearLog.
- NTFS ADS self-deletion: renames its own data stream to an Alternate Data Stream (:payload), releasing the file lock so the executable deletes on close with no child process or temp batch file.
- Shadow copies and recycle bin: deletes shadow copies via vssadmin.exe delete shadows /all /quiet and empties the recycle bin.
- Kill lists: stops ~34 services (Veeam, Acronis, BackupExec, Symantec/Veritas, Sophos, Qihoo 360, Intuit QuickBooks) and ~31 processes (SQL, Oracle, Office suite, Thunderbird, Firefox, Steam).
Payload ships a Windows PE and a Linux/ESXi ELF. The ESXi build links libxml2 and parses /etc/vmware/hostd/vmInventory.xml via XPath to locate VM disk paths for targeted encryption; it uses a C thread pool and /dev/urandom, and lacks the Windows anti-forensics. The core crypto is identical across builds, but the operator public keys differ, indicating per-campaign or per-affiliate key generation.
Public analyses do not confirm a hardcoded CIS locale or keyboard kill switch. In the absence of evidence, CIS-exclusion behavior should be treated as unknown rather than assumed.
| Indicator | Type |
|---|---|
| .payload extension; RECOVER_payload.txt note | Host artifact |
| Mutex MakeAmericaGreatAgain | Host artifact |
| Footer marker payload\0 (last 8 bytes); strings expand 32-byte kFBI / FBIthread-pool-%d | Signature |
| ETW patch bytes in ntdll; full EvtClearLog wipe | Behavioral |
| vssadmin delete shadows; NTFS ADS rename to :payload | Behavioral |
| YARA rules (Windows + Linux) published at github.com/kirkderp/yara | Detection content |
No practical cryptographic weakness or universal decryptor exists. Defense must rely on prevention, detection, and immutable offline backups.
Financial Infrastructure
- Cryptocurrency type: not specified in open source. Bitcoin is plausible given Babuk-line norms, but this is unconfirmed.
- On-chain analysis: no published TRM Labs, Chainalysis, or Elliptic report addresses Payload wallet clusters, mixers, or cash-out venues as of June 2026.
- Sanctioned addresses: none. No OFAC-designated addresses or wallet IOCs are publicly tied to Payload.
- Revenue and laundering evolution: insufficient data. The short operational window and absence of on-chain reporting preclude any laundering-phase reconstruction.
Because the operation runs payment negotiation entirely off-chain-of-visibility (Tor portal, no note wallet), blockchain attribution opportunities are presently limited. This contrasts with established Babuk-line and Conti-diaspora groups, where centralized laundering has produced durable attribution.
Victim Profile & Targeting
Primary reporting cites healthcare, real estate, energy, telecom, and agriculture, particularly in emerging markets. Ransomware.live's aggregate view (which includes later victims) lists manufacturing, business services, consumer services, healthcare, and financial services among top activity sectors. The range suggests opportunistic targeting guided by perceived ability to pay rather than strict ideological criteria.
Seven countries affected at the March snapshot, weighted toward emerging-market regions. Documented or sampled locations include Bahrain (Royal Bahrain Hospital), the Philippines, Egypt, Mexico, and Thailand. No CIS-region victims are documented, but no explicit CIS exclusion has been confirmed either.
Targeting focuses on mid-size and large organizations (healthcare providers, real-estate firms, energy/telecom, agriculture). There is no evidence of consumer targeting. The most prominent named victim to date is Royal Bahrain Hospital, a 70-bed private facility, listed 15 March 2026 with 110 GB claimed stolen and a 23 March publication deadline. The group's low overall count and recency mean few brand-name enterprises have been named so far.
Law Enforcement & Regulatory Response
| Action type | Status |
|---|---|
| Indictments / arrests | None. No named suspects in any jurisdiction. |
| OFAC / EU / UK sanctions | None. No designated individuals or wallets. |
| Infrastructure seizures | None. No reported takedown of Payload Tor infrastructure. |
| Joint operations | None. Payload has not featured in named Europol/FBI operations. |
| Informants / cooperators | None reported. |
| Decryptor availability | None. Not listed on No More Ransom; no vendor decryptor. |
The absence of action is consistent with the group's very short operational history (roughly four months as of June 2026) rather than evidence of protection or resilience. There is no public information about insiders, flipped affiliates, or cooperating witnesses.
Attribution & State Nexus
- No state attribution: no public reporting ties Payload to Russian or other state intelligence services (FSB, SVR, GRU).
- TTPs are not uniquely state-like: ETW patching, strong cryptography, and ADS cleanup are consistent with high-end financially motivated crews, not evidence of tasking.
- CIS behavior: no documented CIS kill switch or locale check. The usual Russia-safe-harbor pattern is not present in the available analysis, which actually weakens the typical Russian-nexus inference.
- Heritage hint only: Babuk code heritage is consistent with Eastern European origin, but heritage is not attribution and the code came from a public leak.
- Safe harbor: no public evidence of safe-harbor arrangements, non-prosecution, or intelligence-sharing relationships.
Connected Cluster & Trajectory Assessment
Payload sits inside a documented Babuk-derivative family. The ClamAV signature Win.Ransomware.Babuk-10032520-1 matches 154 samples across eight operations sharing the leaked codebase: RAWorld (143), Babuk original (4), Nitrogen (2), Payload (1), plus SchoolBoy, Neshta, and Cylan.
Current trackers (Ransomware.live, WatchGuard, SOC Prime) all treat Payload as an independent entry, acknowledging code heritage without merging it with Babuk or other families.
Payload ramped quickly from inception to roughly a dozen victims in its first month, reaching 16 or more by late March and remaining active through June 2026. It integrated strong crypto, ETW patching, ADS self-deletion, and partial encryption from the outset, indicating a relatively mature technical baseline, and ships Linux/ESXi variants with multi-platform YARA coverage, suggesting ongoing development. With no seizures or arrests reported, the group appears operationally intact, though its short history makes longer-term trajectory (rising versus plateauing) unclear.
- Initial access and intrusion ecosystem (access brokers, phishing kits, specific CVEs).
- Negotiation and ransom-demand patterns; payment amounts.
- Cryptocurrency types, wallet infrastructure, and laundering pathways.
- Geographic base, language indicators, and any law-enforcement interest.
- Whether the differing per-build operator keys reflect multiple affiliates or a single operator running separate campaigns.
Recent Reporting LIVE
Open-source reporting from monitored threat-intelligence sources. Refreshed automatically via ransomware.live and major TI feeds when data files are present. Authored analysis above is unaffected by this feed.