Full Report
Technical analysis of Payload ransomware, covering .payload encryption, ChaCha20, Curve25519 ECDH, ransom note recovery, and anti-forensics. Key Takeaways - Payload ransomware first appeared publicly in February 2026 and quickly showed a global victim footprint across Egypt, Mexico, Poland, and other regions. - As of 24 March 2026, the group had listed 50 victims on its leak site. - The ransomware encrypts files using ChaCha20, with a fresh Curve25519 ECDH key exchange per file. - Encrypted files receive the .payload extension and include a 56-byte RC4-encrypted footer. - The sample drops RECOVER_payload.txt, writes recovery data to recovery.ini, and uses strong anti-forensics techniques. - Anti-forensics behavior includes ETW memory patching, VSS shadow copy deletion, Windows Event Log clearing, and targeted termination of processes and services
Analysis Summary
# Tool/Technique: Payload Ransomware
## Overview
Payload Ransomware is a technically mature Windows-based locker that emerged in early 2026. It is characterized by its use of modern cryptographic primitives (ChaCha20 and Curve25519) and aggressive anti-forensics measures designed to disable system telemetry and prevent file recovery. The group operates a "double extortion" model, maintaining a public leak site to pressure victims.
## Technical Details
- **Type:** Malware family (Ransomware)
- **Platform:** Windows (PE32 Executable)
- **Capabilities:** File encryption, anti-forensics, service/process termination, shadow copy deletion, telemetry disabling (ETW patching).
- **First Seen:** February 15, 2026
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- [T1562.006 - Impair Defenses: Indicator Blocking/Removal System-Wide (ETW Patching)]
- [T1070.001 - Indicator Removal: Clear Windows Event Logs]
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact]
- [T1485 - Data Destruction]
- [T1490 - Inhibit System Recovery (VSS Deletion)]
- **[TA0007 - Discovery]**
- [T1012 - Query Registry]
- [T1057 - Process Discovery]
## Functionality
### Core Capabilities
- **Hybrid Encryption:** Utilizes ChaCha20 for symmetric encryption. A unique 32-byte victim private key and 12-byte nonce are generated for every file.
- **Key Exchange:** Employs Curve25519 ECDH (Elliptic Curve Diffie-Hellman) to derive the shared secret (ChaCha20 key) from the attacker's master public key and the victim's ephemeral key.
- **Persistence/Recovery Data:** Writes recovery metadata to a file named `recovery.ini` and appends a 56-byte RC4-encrypted footer to every encrypted file.
- **File Renaming:** Appends the `.payload` extension to all encrypted files.
### Advanced Features
- **ETW Memory Patching:** Disables Event Tracing for Windows (ETW) in memory to prevent security tools and EDRs from receiving telemetry.
- **Service/Process Termination:** Automatically identifies and kills processes and services belonging to backup software, databases, and security tools to ensure files are not locked and detection is minimized.
- **System Cleanup:** Deletes Volume Shadow Copies (VSS) to prevent "Previous Versions" recovery and clears Windows Event Logs to obstruct post-incident forensics.
## Indicators of Compromise
- **File Names:**
- `RECOVER_payload.txt` (Ransom note)
- `recovery.ini` (Metadata storage)
- **File Extensions:** `.payload`
- **Network Indicators:**
- `portal[.]darkatlas[.]io` (Note: Origin of technical report, use caution if found in logs)
- [Specific C2/Leak site URLs not provided in snippet, typically utilize .onion domains]
- **Behavioral Indicators:**
- `vssadmin.exe delete shadows /all /quiet`
- `wevtutil.exe cl system` (and other log channels)
- Memory patching of `ntdll.dll!EtwEventWrite`
## Associated Threat Actors
- **Payload Group:** An emerging ransomware operation currently showing a high volume of activity in the MENA region (Egypt), Mexico, and Poland.
## Detection Methods
- **Behavioral Detection:** Monitor for mass file renaming combined with the execution of `vssadmin.exe` or `wevtutil.exe`.
- **Memory Monitoring:** Detect unauthorized patching of `ntdll.dll` or `advapi32.dll` associated with ETW functions.
- **YARA Rule Strategy:**
- Hex patterns for ChaCha20 constants (`expand 32-byte k`).
- Strings: `RECOVER_payload.txt`, `recovery.ini`, and the `g:payload` marker.
- Identification of RC4 footer logic (56-byte structure at EOF).
## Mitigation Strategies
- **Data Backup:** Maintain offline, immutable backups that cannot be accessed by the ransomware's automated deletion scripts.
- **Hardening:** Use Protected Process Light (PPL) for security agents to prevent termination and implement "Tamper Protection" where available.
- **Logging:** Forward Windows Event Logs to a centralized, write-only SIEM/log aggregator immediately to ensure logs are preserved even if the local copy is cleared.
- **Execution Prevention:** Implement AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unidentified PE files in user-writable directories.
## Related Tools/Techniques
- **Babuk/LockBit:** Similar patterns in service termination and VSS deletion.
- **ChaCha20/Curve25519 Implementations:** Similar to modern lockers like Conti or REvil that transitioned away from standard AES/RSA for speed and security.