A new ransomware operation called Payload is rapidly emerging as a serious threat to both Windows and VMware ESXi environments, combining Babuk-style cryptography with aggressive anti-forensics and a working double-extortion model.
The group claims to have been active since at least February 17, 2026. It is already hitting mid-to-large organizations across multiple sectors and countries.
The hospital joins 11 other victims across seven countries, with a total of 2,603 GB of data allegedly stolen from organizations in real estate, energy, healthcare, telecom, and agriculture, mostly in emerging markets.
On March 15, the Payload group listed Royal Bahrain Hospital on its Tor leak site, claiming to have exfiltrated 110 GB of sensitive data and setting a March 23 deadline for ransom payment.
The attack follows the now-standard double-extortion playbook: data theft, file encryption, and public shaming via a dedicated leak blog.
Payload ransomware
Reverse engineering of the Windows binary shows a complete, well-implemented Babuk-style cryptographic scheme.
Payload uses Curve25519 ECDH (curve25519-donna) for key exchange and ChaCha20 for file encryption, with per-file key pairs and nonces generated via CryptGenRandom and securely wiped from memory after each file is processed.
The shared secret derived from the operator’s public key is used directly as the ChaCha20 key, and there is no evidence of weakened parameters, logic bugs, or embedded recovery keys; without the operator’s private Curve25519 key, encrypted data is effectively unrecoverable.
A distinctive quirk is a 56-byte footer appended to each encrypted file, protected only by RC4 with a three-byte key, “FBI.”
What is confirmed is a dual-platform capability: a large, feature-rich Windows PE compiled with MSVC and a small stripped ELF targeting VMware ESXi hosts via vmInventory parsing and threaded VM disk encryption.
This key appears in memory adjacent to the ChaCha20 sigma constant, forming artefacts such as “expand 32-byte kFBI” in the Windows build and “FBIthread-pool-%d” in the Linux/ESXi build strong signatures for detection but no practical cryptographic weakness.
Dual-Platform Locker: Windows and ESXi
Security telemetry shows that many engines currently mislabel Payload as Babuk, reflecting the heavy code reuse and structural similarity between the families.
However, there is no public evidence so far of a full ransomware-as-a-service ecosystem behind Payload, such as an affiliate panel or shared builder, so RaaS branding remains unproven.
On Windows, Payload operates fully offline, scanning local and network drives, renaming files with a .payload extension, killing backup and security tools, deleting shadow copies, and optionally wiping Windows event logs while patching ETW functions to blind EDR.
The binary removes itself via an NTFS alternate data stream trick and uses a mutex named “MakeAmericaGreatAgain,” underlining a clear operator fingerprint.
The ransom note, embedded and RC4-encrypted inside the binary, instructs victims to access a Tor-based negotiation portal using unique credentials and offers limited free decryption as proof of capability.
A separate Tor leak site hosts file trees and full data dumps on countdown timers, with both sites confirmed reachable as of mid-March 2026.
For sectors like healthcare, the combination of strong Babuk-style encryption, ESXi hypervisor targeting, and credible leak threats significantly increases business and safety impact, making Payload a priority threat for defenders to monitor and hunt for across Windows and virtualized infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
