New Payload Ransomware Emerges with Advanced Encryption and Anti-Forensics Tactics A sophisticated new Windows ransomware strain, Payload, has surfaced in early 2026, employing a potent combination of ChaCha20 stream encryption and Curve25519 ECDH key exchange to render victim data irrecoverable without the attackers’ private key. The malware also integrates aggressive anti-forensics measures, including ETW patching, VSS deletion, event log wiping, and process termination, to evade detection and hinder recovery efforts. First observed in February 2026, Payload quickly adopted a double-extortion model, stealing data before encryption and leveraging dedicated leak sites to pressure victims. Within weeks, the group claimed targets across Egypt, Mexico, Poland, and other regions, demonstrating a rapid global expansion. Its debut victim, SODIC, a major Egyptian real estate developer, marked the first public indication of Payload’s operations and infrastructure. As of 24 March 2026, the group’s leak site listed 50 victims, with recent attacks targeting A-Sonic Logistics Solutions, underscoring a focus on high-disruption sectors like logistics and supply chains. While Payload’s targeting is opportunistic, key industries include: - Logistics and transportation (e.g., freight and supply-chain firms) - Real estate and construction (particularly in Egypt and the MENA region) - Manufacturing, professional services, and technology The ransomware’s encryption process generates a unique key per file using Curve25519 ECDH, with ephemeral private keys wiped from memory to prevent recovery. Encrypted files are renamed with the .payload extension and appended with an RC4-encrypted footer containing key handoff data. Ransom notes (RECOVER_payload.txt) direct victims to Tor-based negotiation and leak sites, imposing strict deadlines (72 hours for initial contact, 240 hours for full negotiation) under threat of data publication. Payload’s binary includes 14 command-line flags for customization, enabling features like SIMD acceleration, thread control, and self-deletion. It enforces single-instance execution via a mutex named MakeAmericaGreatAgain and employs direct NT APIs for parallel file encryption while terminating critical processes and services to maximize damage. Indicators of Compromise (IOCs): - MD5: E0FD8FF6D39E4C11BDAF860C35FD8DC0 - SHA256: 1CA67AF90400EE6CBBD42175293274A0F5DC05315096CB2E214E4BFE12FFB71F - Mutex: MakeAmericaGreatAgain - File extension: .payload - Ransom note: RECOVER_payload.txt - Tor sites: - Leak site: payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion - Negotiation portal: payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion