Encryption Engine Details
Researchers have uncovered a sophisticated ransomware strain called Payload that uses a potent combination of encryption technologies. First detected in February 2026, this threat leverages the ChaCha20 stream cipher paired with Curve25519 Elliptic Curve Diffie Hellman (ECDH) key exchange to encrypt files on Windows systems. Each file receives a unique 32 byte private key and a 12 byte nonce generated through Windows cryptographic APIs, making recovery without the attacker’s private key virtually impossible. Encrypted files receive the .payload extension, and victims are instructed to locate and follow instructions in a ransom note named RECOVER_payload.txt.
Attack Execution and Defensive Evasion
Before beginning the encryption process, the ransomware takes aggressive steps to cripple recovery options. It deletes Windows Volume Shadow Copies, patches event tracing functions in memory, clears Windows Event Logs, and terminates database, backup, and office processes. The malware uses a mutex named MakeAmericaGreatAgain to prevent multiple infections on the same machine. Researchers from Dark Atlas noted that as of March 2026, the group had already listed 50 victims on its data leak site, spanning industries including logistics, manufacturing, real estate, and technology across multiple countries.
Detection and Mitigation Guidance
Security teams should monitor for the RECOVER_payload.txt ransom note, the .payload file extension, and log files written to C:\payload.log. Sudden termination of backup and database services often signals active deployment. Organizations should maintain offline backups and protect shadow copy services at the infrastructure level to limit potential damage. The group appears to be expanding operations globally with a focus on industries where downtime creates immediate financial pressure, including logistics and transportation firms in the MENA region.
Source: Cyber Security News
