A newly identified ransomware operation known as Payload Ransomware has emerged as a significant threat targeting both Windows and VMware ESXi environments. The malware employs advanced encryption mechanisms using ChaCha20 and Curve25519 ECDH cryptography, making file recovery without the attackers’ private keys practically impossible. Payload also incorporates extensive anti-forensics and defense-evasion capabilities designed to hinder detection, incident response, and recovery efforts.
The ransomware follows a double-extortion model, where attackers exfiltrate sensitive data before encrypting systems and threaten public disclosure if ransom demands are not met. Victims observed span industries including healthcare, logistics, telecommunications, manufacturing, construction, and real estate across multiple countries.
Threat Overview
Technical Analysis
Encryption Mechanism
Payload ransomware uses a sophisticated encryption architecture inspired by Babuk ransomware operations. The malware combines Curve25519 Elliptic Curve Diffie-Hellman (ECDH) key exchange with the ChaCha20 stream cipher for file encryption.
For every targeted file:
- A unique 32-byte private key and 12-byte nonce are generated using CryptGenRandom.
- The malware creates a per-file Curve25519 key pair.
- A shared secret is generated using the attacker’s embedded public key.
- The shared secret becomes the ChaCha20 encryption key.
- Files are encrypted in 1 MB chunks.
- A 56-byte encrypted footer containing recovery metadata is appended to each file.
This design ensures that each file has a unique encryption context, significantly reducing the likelihood of mass decryption or cryptographic recovery without access to the attackers’ private keys.
Anti-Forensics and Defense Evasion
Payload ransomware incorporates several anti-analysis and anti-recovery techniques to maximize operational impact.
Observed Behaviors
The malware has been observed performing the following activities before encryption:
- Deleting Windows shadow copies
- Clearing Windows event logs
- Patching Event Tracing for Windows (ETW) functions
- Terminating backup, database, and security-related services
- Killing productivity and application processes
- Dynamically resolving Windows APIs
- Using direct NT API calls to evade monitoring tools
- Leveraging NTFS Alternate Data Streams (ADS) techniques
- Removing traces of execution after deployment
The ransomware specifically patches functions within ntdll.dll to interfere with Windows telemetry and security monitoring mechanisms, complicating forensic investigations and endpoint detection efforts.
MITRE ATT&CK Techniques
IOCs
Potential Impact
Organizations affected by Payload ransomware may experience:
- Complete encryption of critical business data
- Extended operational downtime
- Loss of access to virtualized infrastructure
- Exposure of sensitive or regulated information
- Business interruption and financial losses
- Reputational damage following data leaks
The malware’s targeting of backup systems and logging infrastructure significantly reduces the effectiveness of conventional recovery and investigative procedures.
Recommendations
Organizations are advised to monitor for:
- Creation of RECOVER_payload.txt
- Sudden appearance of .payload file extensions
- Deletion of shadow copies
- Event log clearing activity
- Unusual termination of backup/database services
- Mutex creation associated with MakeAmericaGreatAgain
- Direct NT API usage patterns
- Unauthorized encryption activity on ESXi datastores
Conclusion
Payload ransomware represents a highly capable and technically mature ransomware threat leveraging strong cryptographic implementations, aggressive anti-forensics, and cross-platform targeting capabilities. Its ability to impair recovery operations while simultaneously targeting enterprise virtualization environments increases its potential impact on organizations.
.png)
.png)