Payload ransomware is a Windows locker that encrypts files with ChaCha20, appends the .payload extension, and drops RECOVER_payload.txt notes while using per-file Curve25519 ECDH key exchange. It also uses aggressive anti-forensics tactics such as ETW patching, VSS deletion, and Windows Event Log clearing to hinder detection and recovery. #Payload #SODIC #A-SonicLogisticsSolutions
Keypoints
- Payload ransomware first appeared publicly on 15 February 2026.
- By 24 March 2026, its leak site listed 50 victims.
- It encrypts files with ChaCha20 and per-file Curve25519 ECDH keys.
- Encrypted files are renamed with the .payload extension and paired with RECOVER_payload.txt.
- The malware patches ETW, deletes VSS shadows, clears event logs, and kills processes and services.
Read More: https://darkatlas.io/blog/behind-payload-in-depth-technical-analysis-of-payload-ransomware