RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile • Last updated June 2026
Payload
Babuk-Derived Ransomware • Double Extortion • Windows + ESXi • Emerged February 2026
High Threat Operational RaaS Unverified
First Observed
Feb 2026
Binary compiled 17 Feb 2026
Leak Site Victims LIVE
16+
Growing; 12 at first analysis (Mar 2026)
Countries LIVE
7+
Via ransomware.live
Data Claimed Stolen
2.6 TB
2,603 GB (Mar 2026 snapshot)
Confirmed Revenue
Unknown
No on-chain analysis published
LE Disruptions
Zero
No arrests, sanctions, takedowns
Lineage
Babuk
Leaked builder, Sep 2021
01

Executive Summary & Group Overview

Payload is a Babuk-derived ransomware operation that emerged in February 2026, running a classic double-extortion model against Windows and VMware ESXi environments. Data is exfiltrated before encryption, then victims are pressured through a Tor negotiation portal and a separate Tor leak blog with countdown timers. Encrypted files receive the .payload extension and a ransom note named RECOVER_payload.txt is dropped. The operation is technically mature from its first build: per-file Curve25519 plus ChaCha20 encryption, ETW patching, event-log wiping, NTFS Alternate Data Stream self-deletion, and partial encryption of large files for speed.

The group is small and recent. Its leak site went live within hours of the first build and reached roughly a dozen victims across seven countries inside its first month, growing to 16 or more by late March 2026 and remaining active through at least June 2026. No major incident-response vendor (CrowdStrike, Mandiant, Recorded Future, Microsoft, Unit 42, Secureworks) has issued a group-specific tracking codename; open sources track it generically as "Payload."

Overall assessment confidence: the technical and lineage core is CONFIRMED; operational model and attribution carry larger gaps.
Key Performance Indicators
MetricValueConfidence
First observed17 February 2026 (Windows binary compile date, first victim same week)CONFIRMED
Leak-site victims12 at first analysis (15 Mar 2026); 16+ by late March; active June 2026CREDIBLE
Countries affected7 (emerging markets emphasis)CONFIRMED
Data claimed stolen2,603 GB (~2.6 TB) at March 2026 snapshotCREDIBLE
PlatformsWindows PE and Linux/ESXi ELFCONFIRMED
Decryptor availableNone (no implementation flaw identified; not listed on No More Ransom)CONFIRMED
Confirmed revenueUnknown (no published on-chain analysis; no wallet in note)n/a, gap
LE disruption statusNone (no arrests, indictments, sanctions, or takedowns)CONFIRMED
Quick-Reference Attributes
AttributeDetail
Vendor tracking namesTracked generically as "Payload" by SOC Prime, Ransomware.live, WatchGuard, Derp.ca. No group-specific codename from CrowdStrike, Mandiant, Recorded Future, Microsoft, Unit 42, or Secureworks as of June 2026.
LineageBabuk-derived (leaked September 2021 builder). 17 VirusTotal engines flag the binary as Babuk. Distinct family, not an announced rebrand of a named prior group.
Operational modelDouble extortion. RaaS branding is repeated by some news outlets but UNVERIFIED: no affiliate panel or builder evidence in open source. Working assessment: closed crew or limited builder operation.
Extortion mechanicExfiltration before encryption; Tor negotiation portal with per-victim credentials; separate Tor leak blog with countdown timers.
File markersExtension .payload; note RECOVER_payload.txt; mutex MakeAmericaGreatAgain; footer marker payload\0.
EncryptionPer-file Curve25519 ECDH + ChaCha20; shared secret used directly as key; no decryptor.
Assessed jurisdictionUnestablished. Babuk heritage hints at Eastern European origin but is not attribution. No CIS kill-switch documented.
Named high-profile victimRoyal Bahrain Hospital (15 Mar 2026), 110 GB claimed, 23 Mar deadline.
Data Leak Site & Branding
02

Lineage & Organizational Heritage

Emergence

Payload was first observed in mid-February 2026. The analyzed Windows binary was compiled on 17 February 2026 (08:39 UTC), and the first victim appeared on the leak site within hours. Public technical write-ups followed in March 2026. Trackers (Ransomware.live, WatchGuard) and follow-on reporting continue to record active postings through at least June 2026.

Babuk Code Heritage: Evidentiary Pillars
Confirmed: code lineage to the leaked Babuk builder (September 2021)

The Babuk linkage is the best-supported claim in the profile. It rests on direct binary comparison against the leaked Babuk source, plus broad anti-virus consensus. No major vendor publicly disputes the Babuk-derived characterization.

Pillar 1 : Confirmed
Character-Identical Code
The service kill list and process kill list are character-identical to the leaked September 2021 Babuk builder. The Curve25519-donna implementation uses the same clamping logic and constant 121665. Shadow-copy deletion uses the same vssadmin command. (Derp.ca static analysis.)
Pillar 2 : Confirmed
AV/Signature Consensus
Seventeen VirusTotal engines detect the Windows binary as Babuk. The ClamAV signature Win.Ransomware.Babuk-10032520-1 matches the sample, placing it inside a documented Babuk-derivative family.
Pillar 3 : Credible
TTP Continuity
Pre-encryption service killing, shadow-copy deletion, and cross-platform Windows/ESXi targeting mirror Babuk derivatives seen previously. Supports lineage, though these behaviors are common across the broader post-Babuk cluster.
Pillar 4 : Unconfirmed
Personnel / Wallet Links
No public reporting ties specific Babuk operators or wallets to Payload's operators. Any personnel-level lineage is unconfirmed. Code heritage from a public leak does not establish shared operators.
Operator modifications on top of Babuk: cipher swapped from HC-128 to ChaCha20; key derivation simplified (shared secret used directly, no SHA-512 step); footer reworked to 56 bytes with an RC4 "FBI" key and a payload\0 marker; mutex changed to MakeAmericaGreatAgain; extension changed to .payload; note RC4-encrypted and base64-embedded; new anti-forensics (ETW patching, full event-log wipe, NTFS ADS self-deletion); a 12-switch command-line interface. The ChaCha20 swap may have been borrowed from Babuk's own NAS variant, which already used ChaCha20 in the leaked source.
Vendor Designation Disambiguation

Payload inherits Babuk code, not Conti code. Accordingly, Conti-cluster parent designations do not apply to this profile. Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) describe the parent Conti organization and are not relevant to Babuk-derived families. Babuk's own operators were tracked separately (for example Secureworks Gold Northfield); that designation attaches to the original Babuk crew, not to Payload.

For Payload itself, no group-specific vendor codename exists in open source as of June 2026. The Babuk-derivative assessment is made explicitly by Derp.ca and independent researchers and echoed by Ransomware.live; it is not yet framed as a formal lineage finding by large IR vendors such as Mandiant or CrowdStrike.

03

Operational Model

RaaS vs Closed Crew
Analyst inference: more likely a closed crew or limited builder operation than a mass-market RaaS

Several news outlets describe Payload as ransomware-as-a-service, but that label is repeated without supporting evidence. The primary static analysis is explicit that no public source shows an affiliate program, recruitment, revenue-share terms, or a builder panel. Treat RaaS branding as unverified.

The one ambiguous signal toward multiple operators is that the Windows and Linux/ESXi builds carry different embedded operator public keys, consistent with per-campaign or per-affiliate key generation. This is suggestive but not conclusive. On current evidence, the working assessment is a small closed crew or a limited builder-based operation rather than a broad RaaS marketplace.

Double-Extortion Mechanics
  • Exfiltration first: data is stolen before encryption, creating two leverage points.
  • Encryption: files locked with the .payload extension; recovery infeasible without the operator key.
  • Negotiation portal: each victim receives unique credentials for a Tor portal. Up to 3 free file decryptions (15 MB each) are offered as proof of capability.
  • Publication threat: a separate Tor leak blog publishes stolen data under countdown timers if payment is not made.
  • Offline operation: the payload stage has no command-and-control traffic; the binary is fully self-contained.
Negotiation Behavior

The decrypted ransom note frames a 72-hour initial pressure window (file-tree publication and naming of the company) and a 240-hour total negotiation window. No wallet address appears in the note; payment is arranged exclusively through the Tor portal. There is no public corpus of negotiation transcripts yet, so demand ranges, discounting behavior, and payment timing remain intelligence gaps.

Intelligence gap: ransom-demand amounts, discount behavior, and cryptocurrency type are not documented in open source. No chat-leak archive exists for Payload as of June 2026.
Infrastructure
ServiceOnion addressNotes
Negotiation portalpayloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd.onionPer-victim credentials; exposes no Server header
Leak blogpayloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd.onionnginx with hardened security headers; different backend from the portal

Both sites were confirmed reachable as of mid-March 2026. The distinct backends (portal versus nginx leak blog) indicate deliberate separation of negotiation and publication infrastructure.

04

Technical Capabilities

Sample Overview
FieldWindows PELinux/ESXi ELF
SHA-2561ca67af9...12ffb71fbed8d175...047a316
TypePE32 console, MSVC (VS2019)ELF 64-bit, stripped
Size~395 KB~40 KB
Compiled / first seen2026-02-17 08:39 UTCVT first seen 2026-02-17
MutexMakeAmericaGreatAgainNone
VT detection57/768/76

The Windows build is roughly ten times larger than the Linux build, mostly due to static MSVC runtime linking plus the service/process kill lists, event-log wiper, and ETW patcher, none of which exist in the ESXi build.

Initial Access
Intelligence gap: no initial access vector or CVE documented

Public analysis focuses on the payload stage. No specific initial access vector (RDP, phishing, VPN/edge-device exploitation) and no exploited CVE have been documented for Payload. This is a primary gap. No Payload-specific CVE exists to verify against the NVD.

Encryption Scheme
Confirmed: no cryptographic weakness, backdoor, or implementation flaw identified
  • Per-file keypair: CryptGenRandom produces a 32-byte Curve25519 private key (clamped) and a 12-byte ChaCha20 nonce for each file.
  • ECDH: the shared secret of the per-file private key and the embedded operator public key is used directly as the ChaCha20 key, with no key-derivation step.
  • Cipher: ChaCha20 in 1 MB chunks. Files over 2 GB are partially encrypted (about 20%, in evenly spaced 1 MB chunks) for speed on large volumes.
  • Footer: a 56-byte footer is appended, RC4-encrypted with the 3-byte key "FBI"; it holds the per-file public key, nonce, and a payload\0 marker.
  • Key hygiene: the per-file private key is zeroed from memory immediately after the footer is written and never touches disk.
The "FBI" key is mundane, not a message. The 3-byte RC4 key "FBI" sits next to the ChaCha20 sigma constant in the binary's data section, so they read together as expand 32-byte kFBI. The Linux build has the same accident: FBIthread-pool-%d. These are neighbouring strings, not modified cryptographic constants. They are valuable as detection signatures, not as operator intent.
Anti-Forensics & Evasion
  • ETW patching: patches four ntdll functions (EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, EtwRegister) to return immediately, blinding EDR that relies on ETW.
  • Event-log wipe: loads wevtapi.dll at runtime and clears every Windows event-log channel via EvtClearLog.
  • NTFS ADS self-deletion: renames its own data stream to an Alternate Data Stream (:payload), releasing the file lock so the executable deletes on close with no child process or temp batch file.
  • Shadow copies and recycle bin: deletes shadow copies via vssadmin.exe delete shadows /all /quiet and empties the recycle bin.
  • Kill lists: stops ~34 services (Veeam, Acronis, BackupExec, Symantec/Veritas, Sophos, Qihoo 360, Intuit QuickBooks) and ~31 processes (SQL, Oracle, Office suite, Thunderbird, Firefox, Steam).
Platform Coverage and CIS Behavior

Payload ships a Windows PE and a Linux/ESXi ELF. The ESXi build links libxml2 and parses /etc/vmware/hostd/vmInventory.xml via XPath to locate VM disk paths for targeted encryption; it uses a C thread pool and /dev/urandom, and lacks the Windows anti-forensics. The core crypto is identical across builds, but the operator public keys differ, indicating per-campaign or per-affiliate key generation.

CIS exclusion behavior: unknown

Public analyses do not confirm a hardcoded CIS locale or keyboard kill switch. In the absence of evidence, CIS-exclusion behavior should be treated as unknown rather than assumed.

Detection Pivots
IndicatorType
.payload extension; RECOVER_payload.txt noteHost artifact
Mutex MakeAmericaGreatAgainHost artifact
Footer marker payload\0 (last 8 bytes); strings expand 32-byte kFBI / FBIthread-pool-%dSignature
ETW patch bytes in ntdll; full EvtClearLog wipeBehavioral
vssadmin delete shadows; NTFS ADS rename to :payloadBehavioral
YARA rules (Windows + Linux) published at github.com/kirkderp/yaraDetection content

No practical cryptographic weakness or universal decryptor exists. Defense must rely on prevention, detection, and immutable offline backups.

05

Financial Infrastructure

Major intelligence gap. Payload's financial infrastructure is essentially undocumented in open source. No wallet address appears in the ransom note; payment is arranged only through the Tor portal.
  • Cryptocurrency type: not specified in open source. Bitcoin is plausible given Babuk-line norms, but this is unconfirmed.
  • On-chain analysis: no published TRM Labs, Chainalysis, or Elliptic report addresses Payload wallet clusters, mixers, or cash-out venues as of June 2026.
  • Sanctioned addresses: none. No OFAC-designated addresses or wallet IOCs are publicly tied to Payload.
  • Revenue and laundering evolution: insufficient data. The short operational window and absence of on-chain reporting preclude any laundering-phase reconstruction.

Because the operation runs payment negotiation entirely off-chain-of-visibility (Tor portal, no note wallet), blockchain attribution opportunities are presently limited. This contrasts with established Babuk-line and Conti-diaspora groups, where centralized laundering has produced durable attribution.

06

Victim Profile & Targeting

Victims (first analysis)
12
As of 15 Mar 2026 (Derp.ca)
Victims (late March)
16+
Per ransomware.live
Countries
7
Emerging-market emphasis
Data claimed
2.6 TB
2,603 GB (Mar 2026)
Sectors Targeted

Primary reporting cites healthcare, real estate, energy, telecom, and agriculture, particularly in emerging markets. Ransomware.live's aggregate view (which includes later victims) lists manufacturing, business services, consumer services, healthcare, and financial services among top activity sectors. The range suggests opportunistic targeting guided by perceived ability to pay rather than strict ideological criteria.

Geographic Distribution

Seven countries affected at the March snapshot, weighted toward emerging-market regions. Documented or sampled locations include Bahrain (Royal Bahrain Hospital), the Philippines, Egypt, Mexico, and Thailand. No CIS-region victims are documented, but no explicit CIS exclusion has been confirmed either.

Victim Size & Notable Names

Targeting focuses on mid-size and large organizations (healthcare providers, real-estate firms, energy/telecom, agriculture). There is no evidence of consumer targeting. The most prominent named victim to date is Royal Bahrain Hospital, a 70-bed private facility, listed 15 March 2026 with 110 GB claimed stolen and a 23 March publication deadline. The group's low overall count and recency mean few brand-name enterprises have been named so far.

07

Law Enforcement & Regulatory Response

Confirmed: no public law-enforcement or regulatory action against Payload as of June 2026
Action typeStatus
Indictments / arrestsNone. No named suspects in any jurisdiction.
OFAC / EU / UK sanctionsNone. No designated individuals or wallets.
Infrastructure seizuresNone. No reported takedown of Payload Tor infrastructure.
Joint operationsNone. Payload has not featured in named Europol/FBI operations.
Informants / cooperatorsNone reported.
Decryptor availabilityNone. Not listed on No More Ransom; no vendor decryptor.

The absence of action is consistent with the group's very short operational history (roughly four months as of June 2026) rather than evidence of protection or resilience. There is no public information about insiders, flipped affiliates, or cooperating witnesses.

08

Attribution & State Nexus

Assessment: financially motivated criminal actor; state nexus unestablished (low confidence either way)
  • No state attribution: no public reporting ties Payload to Russian or other state intelligence services (FSB, SVR, GRU).
  • TTPs are not uniquely state-like: ETW patching, strong cryptography, and ADS cleanup are consistent with high-end financially motivated crews, not evidence of tasking.
  • CIS behavior: no documented CIS kill switch or locale check. The usual Russia-safe-harbor pattern is not present in the available analysis, which actually weakens the typical Russian-nexus inference.
  • Heritage hint only: Babuk code heritage is consistent with Eastern European origin, but heritage is not attribution and the code came from a public leak.
  • Safe harbor: no public evidence of safe-harbor arrangements, non-prosecution, or intelligence-sharing relationships.
Bottom line: treat Payload as a financially motivated criminal group with no confirmed state sponsorship or tasking. Any claim of direct state nexus would be low confidence on current evidence.
09

Connected Cluster & Trajectory Assessment

Babuk-Derivative Cluster (two-tier confidence)

Payload sits inside a documented Babuk-derivative family. The ClamAV signature Win.Ransomware.Babuk-10032520-1 matches 154 samples across eight operations sharing the leaked codebase: RAWorld (143), Babuk original (4), Nitrogen (2), Payload (1), plus SchoolBoy, Neshta, and Cylan.

CONFIRMED (anchor : shared-codebase relationship): Payload shares the leaked Babuk codebase with the cluster above, established by direct binary comparison and AV signature matching.
NOT ESTABLISHED (extension : shared-operator relationship): no open-source evidence ties Payload's operators, infrastructure (onion domains, servers), or affiliate roster to RAWorld, Nitrogen, or any other cluster member via TLS fingerprinting, hosting overlap, shared negotiation playbooks, or wallet clustering. Shared code does not imply shared operators. Neither Mandiant nor Recorded Future has published a formal cluster assessment for Payload.

Current trackers (Ransomware.live, WatchGuard, SOC Prime) all treat Payload as an independent entry, acknowledging code heritage without merging it with Babuk or other families.

Stability & Trajectory Signals
Observation window
~4 mo
Feb to Jun 2026
Internal strife
None
No chat leaks or disputes
Rebranding
None
Payload is itself the new derivative
Capability baseline
Mature
Strong crypto + anti-forensics from day one
Analyst inference: active and growing, but the window is too short for a firm volume trend

Payload ramped quickly from inception to roughly a dozen victims in its first month, reaching 16 or more by late March and remaining active through June 2026. It integrated strong crypto, ETW patching, ADS self-deletion, and partial encryption from the outset, indicating a relatively mature technical baseline, and ships Linux/ESXi variants with multi-platform YARA coverage, suggesting ongoing development. With no seizures or arrests reported, the group appears operationally intact, though its short history makes longer-term trajectory (rising versus plateauing) unclear.

Key Intelligence Gaps
  • Initial access and intrusion ecosystem (access brokers, phishing kits, specific CVEs).
  • Negotiation and ransom-demand patterns; payment amounts.
  • Cryptocurrency types, wallet infrastructure, and laundering pathways.
  • Geographic base, language indicators, and any law-enforcement interest.
  • Whether the differing per-build operator keys reflect multiple affiliates or a single operator running separate campaigns.

Recent Reporting LIVE

Open-source reporting from monitored threat-intelligence sources. Refreshed automatically via ransomware.live and major TI feeds when data files are present. Authored analysis above is unaffected by this feed.

Loading recent reporting…

Sources

Primary Technical Analysis
[1]Derp.ca (Kirk): Payload ransomware group, mutex MakeAmericaGreatAgain (full static analysis, 15 Mar 2026) – derp.ca
[2]SOC Prime: Payload Ransomware In-Depth Technical Analysis – socprime.com
[3]Cyber Security News: New Payload Ransomware Uses Babuk-Style Encryption (17 Mar 2026) – cybersecuritynews.com
[4]GBHackers: Payload ransomware hits Windows and ESXi with Babuk-style encryption (17 Mar 2026) – gbhackers.com
Trackers & Victim Data
[5]Ransomware.live: Payload group profile – ransomware.live
[6]WatchGuard Ransomware Tracker: Payload – watchguard.com
Named Victim (Royal Bahrain Hospital)
[7]Security Affairs (Paganini): Payload Ransomware claims the hack of Royal Bahrain Hospital (15 Mar 2026) – securityaffairs.com
[8]SC Media: Payload ransomware claims breach of Royal Bahrain Hospital – scworld.com
[9]UpGuard: Payload Claims Data Breach on Royal Bahrain Hospital (17 Mar 2026) – upguard.com
Detection Content
[10]YARA rules (Windows + Linux/ESXi), Kirk/Derp – github.com/kirkderp/yara
[11]No More Ransom (decryptor availability check, accessed Jun 2026) – nomoreransom.org