Skip to content
Ransomware group

Payload

Payload is an emerging ransomware operation and associated Windows ransomware family first publicly observed in February 2026.

Profile source: Mallory opens in a new tab

Payload

Family profile

Payload is an emerging ransomware operation and associated Windows ransomware family first publicly observed in February 2026. It operates as a financially motivated extortion actor rather than a known nation-state group. By late March 2026, the group had already disclosed dozens of victims on its leak site, indicating rapid operational scaling and an international victim footprint, with reporting noting activity across multiple regions and a notable concentration in Egypt and the broader MENA region.

Payload targets organizations across a wide range of sectors, including public sector, healthcare, manufacturing, logistics and transportation, real estate and construction, technology, financial services, hospitality, retail, media, and other commercial verticals. Observed victimology indicates broad opportunistic targeting consistent with ransomware-as-a-service or affiliate-driven intrusion activity rather than a narrowly specialized campaign.

Technically, Payload is a mature Windows ransomware strain that encrypts files using ChaCha20 with a per-file Curve25519 ECDH key exchange, a design that provides strong cryptographic separation between encrypted files and complicates recovery without attacker-held key material. The malware appends a distinctive extension to encrypted files, drops ransom notes in affected directories, and stores recovery metadata for victim identification and negotiation workflows. Analysis has also documented a protected footer structure written to encrypted files and a parallelized encryption routine intended to improve speed and scale.

Payload employs multiple anti-forensics, defense-evasion, and impact-enabling behaviors commonly associated with modern enterprise ransomware. These include deletion of Volume Shadow Copies, clearing of Windows Event Logs, patching of ETW-related functions in memory to reduce telemetry, termination of processes, and stopping of services associated with databases, backup platforms, and business applications prior to encryption. The malware also supports command-line options that allow operators or affiliates to tune execution behavior, including encryption scope, logging, mutex handling, network share encryption, and evasion features.

Reporting on the 2026 ransomware ecosystem has placed Payload alongside other active operators such as DragonForce, Play, Nova, and Akira, and explicitly noted a shared ransomware-as-a-service operating model without observed infrastructure overlap among those groups. Payload has also been described as maintaining operational visibility even amid fluctuations in incident volume. No high-confidence public attribution to a specific state sponsor or national intelligence service is currently available.

Known aliases are limited, and “Payload” appears to be the primary and most widely recognized name used by defenders and researchers.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Sha256

1 total
  • bed8d1752a12e5681412efbb8283910857f7c5c431c2d73f9bbc5b379047a316

Ransomware.live

Recent claims

All published claims ↗

MITRE ATT&CK

Payload in ATT&CK

19 distinct techniques

Reporting

Research mentioning Payload

Jul 9
Hookphish

Ransomware Group payload Hits: The commune of Castries

The commune of Castries — an organization based in LC — has fallen victim to a ransomware attack conducted by the group payload.

Jul 5
Hookphish

Ransomware Group payload Hits: ENB Versich

ENB Versich — an organization based in US — has fallen victim to a ransomware attack conducted by the group payload.

Jul 5
Hookphish

Ransomware Group payload Hits: Vela Film S.r.l.

Vela Film S.r.l. — an organization based in IT — has fallen victim to a ransomware attack conducted by the group payload.

Jul 2
Hookphish

Ransomware Group payload Hits: Tofutown

Tofutown — an organization based in DE — has fallen victim to a ransomware attack conducted by the group payload.

Jun 29
Hookphish

Ransomware Group payload Hits: Villea Hotels in AttanaHo

Villea Hotels in AttanaHo — an organization based in US — has fallen victim to a ransomware attack conducted by the group payload.

Jun 26
Hookphish

Ransomware Group payload Hits: Software Arge

Software Arge — an organization based in US — has fallen victim to a ransomware attack conducted by the group payload.

Jun 26
Hookphish

Ransomware Group payload Hits: Clínica La Sabana

Clínica La Sabana — an organization based in CR — has fallen victim to a ransomware attack conducted by the group payload.

Jun 26
Hookphish

Ransomware Group payload Hits: Mosaic Partners

Mosaic Partners — an organization based in US — has fallen victim to a ransomware attack conducted by the group payload.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.