New Payload Ransomware Emerges with Advanced Encryption and Anti-Forensics Tactics
A sophisticated new Windows ransomware strain, Payload, has surfaced in early 2026, employing a potent combination of ChaCha20 stream encryption and Curve25519 ECDH key exchange to render victim data irrecoverable without the attackers’ private key. The malware also integrates aggressive anti-forensics measures, including ETW patching, VSS deletion, event log wiping, and process termination, to evade detection and hinder recovery efforts.
First observed in February 2026, Payload quickly adopted a double-extortion model, stealing data before encryption and leveraging dedicated leak sites to pressure victims. Within weeks, the group claimed targets across Egypt, Mexico, Poland, and other regions, demonstrating a rapid global expansion. Its debut victim, SODIC, a major Egyptian real estate developer, marked the first public indication of Payload’s operations and infrastructure.
As of 24 March 2026, the group’s leak site listed 50 victims, with recent attacks targeting A-Sonic Logistics Solutions, underscoring a focus on high-disruption sectors like logistics and supply chains. While Payload’s targeting is opportunistic, key industries include:
- Logistics and transportation (e.g., freight and supply-chain firms)
- Real estate and construction (particularly in Egypt and the MENA region)
- Manufacturing, professional services, and technology
The ransomware’s encryption process generates a unique key per file using Curve25519 ECDH, with ephemeral private keys wiped from memory to prevent recovery. Encrypted files are renamed with the .payload extension and appended with an RC4-encrypted footer containing key handoff data. Ransom notes (RECOVER_payload.txt) direct victims to Tor-based negotiation and leak sites, imposing strict deadlines (72 hours for initial contact, 240 hours for full negotiation) under threat of data publication.
Payload’s binary includes 14 command-line flags for customization, enabling features like SIMD acceleration, thread control, and self-deletion. It enforces single-instance execution via a mutex named MakeAmericaGreatAgain and employs direct NT APIs for parallel file encryption while terminating critical processes and services to maximize damage.
Indicators of Compromise (IOCs):
- MD5: E0FD8FF6D39E4C11BDAF860C35FD8DC0
- SHA256: 1CA67AF90400EE6CBBD42175293274A0F5DC05315096CB2E214E4BFE12FFB71F
- Mutex: MakeAmericaGreatAgain
- File extension: .payload
- Ransom note: RECOVER_payload.txt
- Tor sites:
- Leak site: payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion
- Negotiation portal: payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion
Source: https://gbhackers.com/ransomware-uses-chacha20-and-curve25519/
SODIC cybersecurity rating report: https://www.rankiteo.com/company/sodic
"id": "SOD1779776631",
"linkid": "sodic",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Real Estate and Construction',
'location': 'Egypt',
'name': 'SODIC',
'type': 'Company'},
{'industry': 'Logistics and Transportation',
'name': 'A-Sonic Logistics Solutions',
'type': 'Company'}],
'attack_vector': 'Unknown (initial access broker details not provided)',
'data_breach': {'data_encryption': 'Yes (ChaCha20 + Curve25519 ECDH)',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive business data',
'Potentially PII or payment '
'information']},
'date_detected': '2026-02-01',
'date_publicly_disclosed': '2026-02-01',
'description': 'A sophisticated new Windows ransomware strain, Payload, has '
'surfaced in early 2026, employing a potent combination of '
'ChaCha20 stream encryption and Curve25519 ECDH key exchange '
'to render victim data irrecoverable without the attackers’ '
'private key. The malware also integrates aggressive '
'anti-forensics measures, including ETW patching, VSS '
'deletion, event log wiping, and process termination, to evade '
'detection and hinder recovery efforts. Payload operates under '
'a double-extortion model, stealing data before encryption and '
'leveraging dedicated leak sites to pressure victims.',
'impact': {'brand_reputation_impact': 'High (data leaks, public disclosure)',
'data_compromised': 'Yes',
'identity_theft_risk': 'High (if PII was compromised)',
'operational_impact': 'High (data encryption, process termination, '
'service disruption)',
'payment_information_risk': 'High (if payment data was '
'compromised)',
'systems_affected': 'Windows systems'},
'investigation_status': 'Ongoing',
'motivation': ['Financial gain', 'Data extortion'],
'ransomware': {'data_encryption': 'Yes (ChaCha20 + Curve25519 ECDH, unique '
'key per file)',
'data_exfiltration': 'Yes (double-extortion model)',
'ransomware_strain': 'Payload'},
'references': [{'date_accessed': '2026-03-24',
'source': 'Payload Ransomware Leak Site',
'url': 'payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion'},
{'date_accessed': '2026-03-24',
'source': 'Payload Ransomware Negotiation Portal',
'url': 'payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion'}],
'response': {'communication_strategy': 'Tor-based negotiation and leak sites'},
'threat_actor': 'Payload Ransomware Group',
'title': 'New Payload Ransomware Emerges with Advanced Encryption and '
'Anti-Forensics Tactics',
'type': 'Ransomware'}