Full Report
We reversed the Windows binary completely. Every code path, every crypto primitive, every command-line switch. The encryption uses Curve25519 key exchange paired with ChaCha20, and the per-file private keys are securely erased from memory after each file is locked. Without the operator's private key, encrypted files are unrecoverable. There is no backdoor in the crypto, no implementation flaw, no shortcut. One detail stood out during analysis. Each encrypted file has a 56-byte footer that is itself RC4-encrypted. The key for that RC4 encryption is three bytes long: FBI. It sits right next to the ChaCha20 constant in the binary's data section, which makes them look like a single string: expand 32-byte kFBI. The Linux variant has a similar accident, where FBI runs into a thread pool format string to produce FBIthread-pool-%d. These are not modified cryptographic constants. They are just neighbouring strings in memory. But they make for distinctive detection signatures.
Analysis Summary
# Tool/Technique: Payload Ransomware
## Overview
Payload is a sophisticated "offline" ransomware family that emerged in early 2026. It is a derivative of the leaked Babuk source code (2021) but features significant enhancements in anti-forensics, encryption implementation, and command-line versatility. The group follows a double-extortion model, utilizing a Tor-based leak site and negotiation portal to pressure victims across multiple sectors and global regions.
## Technical Details
- **Type:** Malware family (Ransomware-as-a-Service or Private Group)
- **Platform:** Windows (PE), Linux/ESXi (ELF)
- **Capabilities:** Strong encryption (Curve25519/ChaCha20), service/process termination, anti-EDR (ETW patching), event log wiping, and self-deletion.
- **First Seen:** February 17, 2026
## MITRE ATT&CK Mapping
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact]
- [T1490 - Inhibit System Recovery] (Deletion of Shadow Copies)
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (ETW patching)
- [T1070.001 - Indicator Removal: Clear Windows Event Logs]
- [T1070.004 - Indicator Removal: File Deletion] (Self-deletion via NTFS ADS)
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery]
## Functionality
### Core Capabilities
- **Robust Encryption:** Employs a Curve25519 key exchange paired with ChaCha20 for file locking. Per-file private keys are securely erased from memory immediately after use.
- **Multi-Platform:** Variants exist for both Windows environments and Linux/ESXi hypervisors.
- **Resource Management:** Kills 31 specific processes and stops 41 services (e.g., databases, backup software) to ensure files are not locked and can be encrypted.
- **Shadow Copy Deletion:** Uses `vssadmin.exe` to prevent data recovery.
### Advanced Features
- **Anti-Forensics:** Patches four `ntdll` functions related to Event Tracing for Windows (ETW) to blind EDR solutions.
- **Log Wiping:** Enumerates and clears all Windows event log channels.
- **Stealthy Self-Deletion:** Renames its own executable using NTFS Alternate Data Streams (ADS) to `:payload` before deletion.
- **Granular CLI:** Includes 12 command-line switches for tailored execution (e.g., targeting specific paths or network shares).
## Indicators of Compromise
- **File Hashes:**
- **SHA256 (Windows):** `1ca67af90400ee6cbbd42175293274a0f5dc05315096cb2e214e4bfe12ffb71f`
- **SHA256 (Linux):** `bed8d1752a12e5681412efbb8283910857f7c5c431c2d73f9bbc5b379047a316`
- **File Extensions:** `.payload`
- **Mutex:** `MakeAmericaGreatAgain`
- **Artifacts:** 56-byte RC4-encrypted footer at the end of locked files; RC4 key is `FBI`.
- **String Constants:**
- Windows: `expand 32-byte kFBI`
- Linux: `FBIthread-pool-%d`
## Associated Threat Actors
- **Payload Ransomware Group:** Active since February 2026; targeting healthcare, energy, and telecom sectors in emerging markets.
## Detection Methods
- **Signature-based:**
- Detection of the `MakeAmericaGreatAgain` mutex string.
- ClamAV: `Win.Ransomware.Babuk-10032520-1`.
- Scanning for the unique `expand 32-byte kFBI` concatenated string in memory or binaries.
- **Behavioral:**
- Execution of `vssadmin.exe delete shadows /all /quiet`.
- Massive file renaming operations to `.payload`.
- Unauthorized modifications to `ntdll.dll` (ETW patching).
## Mitigation Strategies
- **Prevention:** Implement robust endpoint protection (EDR) that monitors for ETW tampering and unauthorized process termination.
- **Hardening:** Disable or restrict the use of `vssadmin.exe` and other administrative tools for non-privileged users.
- **Backup:** Maintain off-site, immutable backups that are not accessible via standard network shares.
## Related Tools/Techniques
- **Babuk Ransomware:** Payload is a direct derivative of the 2021 Babuk leak.
- **RAWorld:** Another ransomware family sharing the same code lineage.
- **ChaCha20/Curve25519:** Commonly used in modern ransomware (e.g., Babuk NAS variant) for speed and security.