A newly identified ransomware operation called Payload began targeting organisations on February 17, 2026, the same day its Windows binary was compiled, and posted its first victim on a dark web leak site within hours of launch. Twelve victims across seven countries have been claimed to date, with 2,603 gigabytes of allegedly stolen data held by the operators for use in extortion demands.
Technical construction
Payload takes the Babuk ransomware codebase as its starting point and makes targeted improvements that remove forensic recovery paths. The original Babuk encryption used the HC-128 stream cipher; Payload’s developer replaced it with ChaCha20, a more modern and widely respected algorithm. Each file is encrypted under a unique key derived from a Curve25519 elliptic-curve key exchange.
The anti-forensic capability that distinguishes Payload from simpler Babuk derivatives is per-file key erasure. After each file is locked, the per-file private key is securely wiped from memory. The attacker retains the master private key needed to reconstruct file keys, but no copy of the per-file key survives on the victim system. Without the operator’s master key, decryption of individual files is not computationally feasible. This design is a direct response to cases where Babuk-era ransomware operators made mistakes leaving key material recoverable from memory or disk.
The group operates a double-extortion model: data is exfiltrated before encryption begins, giving the operators leverage even against organisations with robust offline backups.
ESXi targeting matters
Alongside the Windows variant, Payload includes a VMware ESXi build. ESXi hypervisors are a high-value target because a single compromised host typically runs multiple virtual machines. Encrypting the datastore at the hypervisor layer takes entire server fleets offline in a single operation, bypassing the need to compromise each guest separately. Organisations that have invested in Windows endpoint detection and response tooling but left ESXi management infrastructure with weaker monitoring are particularly exposed.
The Babuk ESXi toolkit has circulated in ransomware communities since its source code was leaked in 2021, and Payload is not the first group to build on it. But the code quality visible in reverse engineering, including well-implemented cryptography and deliberate anti-forensic additions, suggests a more technically capable operator than most groups reusing leaked code.
What this means for infrastructure operators
The pattern here is one that incident responders see repeatedly: new ransomware groups launch with a technically capable toolset and a small victim count, operate below the threshold that triggers major media attention and law enforcement prioritisation, and accumulate victims for months before defensive attention catches up.
Protecting against a group like Payload requires looking at the full attack chain rather than endpoint protection alone. Initial access for ESXi-targeting ransomware frequently comes through exposed management interfaces, compromised VPN credentials, or lateral movement from a Windows endpoint. Monitoring for unusual ESXi datastore activity and restricting management plane access to defined administrative networks are more effective controls than signature-based detection once a group is operating with novel binaries.
Offline backups that are genuinely air-gapped from production infrastructure remain the most reliable recovery option. Backups reachable from the same network segment as production systems are frequently encrypted or deleted in the same attack.
If your organisation needs help reviewing its ransomware resilience, backup architecture, or ESXi security posture, contact Excello Digital. We help infrastructure teams identify gaps before an attacker does.