Payload Ransomware Hits Windows and ESXi With Babuk-Style Encryption

A new ransomware operation calling itself Payload has been conducting double-extortion attacks against organizations worldwide since February 2026. The group uses Babuk-derived source code to target both Windows and VMware ESXi systems, and has already claimed victims across healthcare, energy, real estate, and agriculture sectors in seven countries.

Security researchers tracking the group report that Payload listed 12 victims within hours of launching its leak site—an unusually aggressive debut suggesting the operators had been building their victim portfolio before going public.

Technical Analysis

Payload appends the ".payload" extension to encrypted files and drops a ransom note named RECOVER_payload.txt. The encryption scheme combines modern cryptographic primitives to ensure files cannot be recovered without the operator's private key.

The ransomware pairs Curve25519 elliptic-curve key exchange with the ChaCha20 stream cipher. Each file gets encrypted with a unique key generated through ECDH key agreement between a per-file keypair and the operator's hardcoded public key. This approach ensures that even if defenders recover one file's key, they can't use it to decrypt others.

The technical implementation confirms what researchers suspected: Payload is built on leaked Babuk source code, which has spawned numerous ransomware variants since its 2021 release. However, the group appears to have added their own modifications, including advanced anti-forensic capabilities that overwrite evidence of the encryption process.

Targeting Pattern

Payload's victim profile skews toward emerging markets. Known targets include:

• El Wastani Petroleum Company (WASCO) - Major Egyptian oil and gas operator, claimed April 8, 2026
• Kabushiki Gaisha Hodozuka Setsubi - Japanese building utilities firm, claimed May 19, 2026
• Organizations in real estate, healthcare, telecom, and agriculture sectors

The geographic distribution—Egypt, Japan, and other emerging markets—suggests either deliberate targeting of regions with less mature incident response capabilities or opportunistic exploitation of whatever access the operators could obtain.

The group claims to have exfiltrated 2,603 GB of data across all victims, a figure they use to pressure organizations into paying to prevent data publication.

ESXi Component

The cross-platform capability is notable. ESXi-targeting ransomware has become increasingly common as attackers recognize the value of hitting virtualization infrastructure. Encrypting a single ESXi host can take down dozens of virtual machines simultaneously, maximizing business impact.

This mirrors the pattern we saw with Storm-1175 using Medusa ransomware against VMware environments earlier this year. The Babuk codebase specifically includes ESXi encryption routines, which Payload appears to have inherited and refined.

Organizations running ESXi should ensure their hypervisors are isolated from general network traffic and that SSH access is disabled when not actively needed for maintenance.

Ransom Note Analysis

The RECOVER_payload.txt ransom note follows the standard double-extortion format: pay to decrypt, and pay separately to prevent data publication. The note directs victims to a Tor-based negotiation portal where operators demand payment in cryptocurrency.

Ransom amounts appear to vary based on perceived victim ability to pay—a common practice among mature ransomware operations. Smaller organizations report demands in the low six figures, while larger enterprises face significantly higher demands.

Connection to Babuk

The Babuk connection matters for defenders. Babuk's source code leaked in September 2021 when a disgruntled affiliate published the entire codebase. Since then, at least 15 distinct ransomware operations have incorporated Babuk code, including HelloKitty, Rook, and now Payload.

The code provides battle-tested encryption routines and ESXi support without requiring attackers to develop capabilities from scratch. For Payload's operators, building on Babuk meant they could launch with proven encryption technology from day one.

For security teams, this lineage suggests that Babuk-specific detection signatures may catch Payload activity. Review your existing Babuk detections and update them to include the ".payload" extension and RECOVER_payload.txt ransom note.

Defensive Recommendations

1. Backup ESXi configurations - Ensure hypervisor configurations are backed up separately from the virtual machines they host
2. Segment VMware infrastructure - Isolate ESXi management interfaces from general network traffic
3. Monitor for ChaCha20 - Flag processes using ChaCha20 encryption where it's not expected
4. Disable SSH on ESXi - Only enable when actively needed for administration

The emergence of yet another Babuk derivative reinforces why the ransomware ecosystem has proven so resilient. For a broader understanding of how ransomware groups operate, our guide on what ransomware is and how it works covers the fundamentals.

Organizations dealing with ransomware incidents should also review guidance from law enforcement—the recent Operation Saffron VPN takedown demonstrated that infrastructure used by ransomware gangs is increasingly subject to disruption, which may affect whether ransom payments even reach their intended recipients.

Indicators of Compromise

Type	Value
Extension	.payload
Ransom Note	RECOVER_payload.txt
Encryption	Curve25519 + ChaCha20
Platforms	Windows, VMware ESXi
Active Since	February 17, 2026

Payload represents the latest iteration of a now-familiar pattern: leaked ransomware code enables new threat actors to enter the market with minimal development investment. Expect this group to continue operating until law enforcement intervention or internal conflict disrupts their activities.