Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files
A new ransomware strain called Payload has been active since February 2026, targeting Windows systems globally with per-file encryption using ChaCha20 and Curve25519 ECDH.
A dangerous new ransomware strain called Payload has been quietly building a global victim list since it first appeared in February 2026. The group launched its leak site with a high-profile target and has since expanded operations across Egypt, Mexico, Poland, and beyond. What makes this threat stand out is not just its reach, but the technical sophistication behind how it locks down victim files.
Payload ransomware targets Windows systems and appends the ".payload" extension to every file it encrypts. Victims are greeted with a ransom note called RECOVER_payload.txt and given 240 hours to begin negotiations. By March 24, 2026, the group had already listed 50 victims on its leak site, ranging from real estate firms and logistics companies to manufacturers and technology providers. The group appears to focus on industries where downtime creates immediate financial pressure, with logistics and transportation firms sitting high on its target list, as do construction and real estate companies in the MENA region.
Dark Atlas said in a report shared with Cyber Security News that they conducted an in-depth technical analysis and found the group to be technically mature, with a well-designed encryption engine and aggressive steps taken to prevent detection. The malware carries a mutex named "MakeAmericaGreatAgain," which prevents multiple instances from running on the same machine. Before encryption begins, it deletes Windows shadow copies, patches event-tracing functions in memory, clears Windows Event Logs, and terminates dozens of database, backup, and office processes, leaving victims with very little to fall back on.
Payload ransomware uses a per-file encryption approach that makes recovery without the operator's private key essentially impossible. For each file, the malware generates a fresh 32-byte private key and a 12-byte nonce using Windows' own CryptGenRandom function. It then runs a Curve25519 ECDH operation, combining the victim's temporary key with the operator's embedded public key to produce a shared secret used directly as the ChaCha20 key. Files are encrypted in one-megabyte chunks, and a 56-byte footer is written to the end of every file when the process completes, holding the victim's temporary public key and the nonce wrapped in RC4 encryption using the three-byte key "FBI".
The ransomware supports three speed modes, automatically choosing between AVX2, SSE2, and a standard scalar path based on the victim's processor. It also uses direct Windows NT API calls rather than standard user-mode functions, helping it bypass security tools that monitor higher-level activity. One of the most alarming aspects of Payload ransomware is how aggressively it erases its own tracks. When the bypass-etw flag is active, the malware patches four key event-tracing functions inside Windows' ntdll library, silencing the system's ability to log what the ransomware is doing.
Organizations should monitor for RECOVER_payload.txt, the .payload file extension, and the log file written to \??\C:\payload.log. Security teams should also watch for sudden termination of backup and database services, as this often signals active ransomware deployment. Maintaining offline backups and protecting shadow copy services at the infrastructure level are critical steps in limiting the damage this threat can cause. The Payload should be tracked as an emerging ransomware operation with international ambitions, and monitoring its leak site, victim patterns, and future code changes will be essential as the group continues to grow.