Payload Ransomware Targets Windows and VMware ESXi Environments Using Babuk-Derived Encryption
May 28th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring an ongoing ransomware campaign by a threat group known as Payload, which has been active since at least February 17, 2026. The group has rapidly established a global footprint, publicly listing approximately 50 claimed victims as of March 2026 across sectors including real estate, logistics, transportation, energy, healthcare, and construction, with notable targeting in the MENA region and other emerging markets. Reported victim countries include Egypt, Mexico, Poland, and Bahrain, among others. What distinguishes Payload from other ransomware families is its dual-platform capability, targeting both Windows systems and VMware ESXi hypervisors, combined with a technically mature encryption engine derived from the Babuk ransomware family. The group operates a double-extortion model, exfiltrating sensitive data prior to encryption and threatening public disclosure on a dedicated Tor-based leak site to maximize pressure on victims.
Technical Details
Attack Type: Ransomware
Severity: High
Affected Systems: Windows systems (PE32 executable); VMware ESXi hypervisors (stripped ELF binary)
Exploit Status: Actively exploited in the wild
Windows Attack Chain:
Operates fully offline with no C2 communication; scans local and network drives for files to encrypt
Per-file encryption: CryptGenRandom generates a 32-byte Curve25519 private key and 12-byte ChaCha20 nonce; ECDH shared secret is derived using the operator's embedded public key and used directly as the ChaCha20 key with no separate derivation step
Files encrypted in 1 MB chunks; files over 2 GB receive partial encryption only (20% of file content in evenly spaced chunks)
.payload extension appended to all encrypted filenames
56-byte RC4-encrypted footer (key: "FBI") appended to each file containing the victim's ephemeral public key and nonce; produces the distinctive memory artifact "expand 32-byte kFBI," a strong detection signature
Per-file private key is zeroed from memory immediately after each file is processed; without the operator's Curve25519 private key, encrypted files are unrecoverable
Uses direct NT API calls (NtReadFile, NtWriteFile) instead of Win32 APIs, reducing visibility for some monitoring tools
Encryption exposes three CLI-selectable paths (avx2, sse2, default); the path labeled "avx2" executes SSE2 instructions only; no ymm registers are present
Empties the recycle bin via SHEmptyRecycleBinA during execution
Mutex "MakeAmericaGreatAgain" prevents multiple simultaneous instances
Deletes itself post-execution via NTFS ADS rename of its own $DATA stream to :payload, releasing the file lock without spawning child processes
Drops ransom note RECOVER_payload.txt (alternate builds: RECOVERY-xx0001.txt); victims receive per-victim Tor portal credentials, a 240-hour negotiation window, and up to three free 15 MB decryptions as proof of capability
Pre-Encryption Defense Evasion (Windows):
When bypass-etw is active, patches four ntdll.dll ETW functions in memory (EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, EtwRegister), causing each to return STATUS_SUCCESS immediately and drop all trace events; patch bytes: 48 33 C0 C3 (WoW64) / 33 C0 C2 14 00 (native x86)
When the l flag is active, loads wevtapi.dll at runtime and clears all event log channels (Application, System, Security, and all custom channels) via EvtClearLog
Terminates 31 processes and stops 34 services before encryption, targeting database engines, Office applications, and backup solutions including Veeam, Acronis, and BackupExec
Deletes all VSS snapshots via vssadmin.exe delete shadows /all /quiet
ESXi Attack Chain:
Stripped 40 KB ELF binary; links libxml2 and parses /etc/vmware/hostd/vmInventory.xml via XPath to enumerate VM disk paths for encryption
Core crypto identical to Windows build: Curve25519 + ChaCha20 with FBI RC4 footer; operator public key differs from the Windows build, suggesting separate key material between the Windows and Linux/ESXi builds
Memory artifact "FBIthread-pool-%d" in the Linux binary mirrors the Windows "expand 32-byte kFBI" artifact and serves as a parallel detection signature
Anti-debugging checks /proc/self/status for a non-zero TracerPid value
Does not include the process/service killer, VSS deletion, event log wiper, ETW patcher, mutex, or self-deletion present in the Windows build
Impact
Complete encryption of Windows file systems and VMware ESXi virtual machine disks, rendering critical infrastructure inaccessible; files exceeding 2 GB receive partial rather than full encryption but remain inaccessible without the operator's decryption key
Potential exfiltration of sensitive corporate data, including intellectual property, customer records, and confidential business information, prior to encryption
Significant operational downtime with direct revenue and productivity impacts, particularly severe for logistics and healthcare targets where system availability is operationally critical
Regulatory compliance exposure and potential notification obligations if personal or regulated data is confirmed exfiltrated
Reputational damage from victim publication on the group's Tor leak site, with countdown timers creating additional public pressure
Without the operator's Curve25519 private key, the shared secret cannot be derived, and encrypted files are unrecoverable; prevention and backup integrity are the only reliable recovery paths
Detection Method
File System and Host Artifacts:
Monitor for creation of RECOVER_payload.txt or RECOVERY-xx0001.txt and mass renaming of files to the .payload extension across directories
Monitor for the activity log written to C:\payload.log during execution (NT object path: \??\C:\payload.log)
Alert on the presence of the mutex "MakeAmericaGreatAgain," which indicates active ransomware execution
Monitor for NTFS alternate data stream activity where a running executable renames its own $DATA stream to an ADS named :payload, consistent with the Payload self-deletion mechanism
Defense Evasion and Anti-Forensics:
Hunt for in-memory patching of ETW functions within ntdll.dll; specific detection signatures are the patch byte sequences 48 33 C0 C3 (WoW64) and 33 C0 C2 14 00 (native x86) at the function prologues of EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, and EtwRegister
Monitor for abnormal clearance of Windows Event Log channels outside of scheduled maintenance windows, including runtime loading of wevtapi.dll by non-system processes
Detect execution of vssadmin.exe with the arguments "delete shadows /all /quiet," signaling active shadow copy destruction
Alert on sudden termination of backup and database services, including SQL Server, Veeam, and Acronis, which commonly precede active encryption
Memory and Binary Signatures:
Detect the memory artifact "expand 32-byte kFBI" in process memory or on-disk samples as a high-confidence indicator associated with Payload samples in Windows environments; the equivalent artifact "FBIthread-pool-%d" applies to Linux/ESXi environments
ESXi and Network:
For ESXi environments, monitor for unexpected access to /etc/vmware/hostd/vmInventory.xml or unusual disk I/O against VMDK files that may indicate hypervisor-level encryption activity
Alert on suspicious outbound connections to .onion infrastructure, particularly to the reported Payload-associated leak infrastructure and negotiation portal
Indicators of Compromise
Type | Indicator | Description |
SHA-256 | 1CA67AF90400EE6CBBD42175293274A0F5DC05315096CB2E214E4BFE12FFB71F | Payload ransomware Windows PE sample |
SHA-256 | BED8D1752A12E5681412EFBB8283910857F7C5C431C2D73F9BBC5B379047A316 | Payload ransomware Linux/ESXi ELF sample |
Mutex | MakeAmericaGreatAgain | Single-instance mutex preventing multiple executions on the same host |
File Extension | .payload | Extension appended to all encrypted files |
File Name | RECOVER_payload.txt | Ransom note dropped in affected directories |
File Name | RECOVERY-xx0001.txt | Ransom note filename used in alternate builds |
Recovery Label | g:payload | Key-handoff label written to recovery.ini |
File Path | C:\payload.log | Activity log written to disk during execution |
Command | /c vssadmin.exe delete shadows /all /quiet | Shadow copy deletion command executed pre-encryption |
Domain | payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion | Tor-based victim leak site |
Domain | payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion | Tor-based ransom negotiation portal |
Recommendations
Immediately verify that backup systems are intact, isolated from production networks, and tested for successful restoration; immutable and offline backup copies following 3-2-1 principles are critical given Payload's active targeting of Veeam and Acronis backup processes
Protect Volume Shadow Copy Services at the infrastructure level to prevent vssadmin-based deletion; restrict or audit use of vssadmin.exe through application control policies
Harden VMware ESXi environments by restricting management interface access, applying available ESXi patches, and monitoring for unexpected access to vmInventory.xml or abnormal VM disk activity
Deploy or tune endpoint detection capabilities to alert on in-memory ETW patching using the confirmed patch byte sequences, mass Event Log clearance, and bulk file renaming consistent with ransomware encryption patterns
Restrict or monitor remote access services with multi-factor authentication, given that ransomware operators commonly leverage exposed remote access services during enterprise intrusions
Implement network segmentation to limit lateral movement and prevent ransomware propagation from a single compromised host to adjacent Windows systems or ESXi infrastructure
Update incident response procedures to address double-extortion scenarios, including data breach notification requirements triggered by confirmed exfiltration, independent of whether a ransom is paid
Conduct threat hunting exercises using the IOCs and behavioral indicators in this advisory, prioritizing environments with ESXi infrastructure and organizations in logistics, real estate, healthcare, and energy sectors based on the group's documented victim profile
Conclusion
The Payload ransomware group has demonstrated rapid operational growth since February 2026, claiming approximately 50 victims across multiple continents within weeks of its initial activity. Its dual-platform capability across both Windows and VMware ESXi environments, combined with a technically mature Babuk-derived encryption engine and aggressive anti-forensic measures, including ETW patching and comprehensive log destruction, makes containment and recovery significantly more difficult than many contemporary ransomware operations. Without the operator's Curve25519 private key, the shared secret cannot be derived, and encrypted files are unrecoverable, placing the entire defensive burden on prevention, detection, and backup resilience. We recommend treating Payload as an active, high-priority threat requiring immediate review of backup integrity, ESXi hardening posture, and ransomware detection coverage across both Windows and virtualized infrastructure.