Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Payload is a Windows ransomware family that encrypts files with ChaCha20 and uses a per-file Curve25519 ECDH exchange, then appends the .payload extension to impacted data. The malware drops a RECOVER_payload.txt ransom note, creates its own log file, and applies several anti-forensic measures, including ETW patching, deletion of VSS shadow copies, clearing of event logs, and termination of selected processes and services. First seen in February 2026, the group rapidly expanded its victim base across several continents, with notable focus on logistics, real estate, and manufacturing organizations. The operators also rely on Tor onion sites for victim communication and data leak publication.
Investigation
The analysis explains the ransomware’s cryptographic workflow, including creation of a fresh 32-byte victim private key, derivation of a shared secret through Curve25519, and direct use of that shared secret as the ChaCha20 encryption key. File encryption is carried out through I/O Completion Ports and concludes with a 56-byte RC4-encrypted footer that contains the victim public key and a constant FBI marker. Its anti-forensic behavior includes in-memory ETW patching, shadow copy deletion via vssadmin, and removal of Windows Event Logs. Researchers also found a predefined kill list of processes and services that the ransomware stops before launching encryption.
Mitigation
Defenders should monitor for the MakeAmericaGreatAgain mutex, newly created .payload files, and the presence of the RECOVER_payload.txt ransom note. Restricting execution of vssadmin.exe and blocking known Tor onion addresses associated with the group can reduce the effectiveness of its anti-forensic and communication methods. Endpoint protections should also detect ETW patching, suspicious NT API file I/O activity, and forced termination of important services. Maintaining regular offline backups and limiting dependence on shadow copies can further reduce business impact.
Response
If Payload ransomware is detected, isolate the affected host from the network immediately, preserve volatile memory, and collect relevant logs for analysis. Investigators should identify and terminate any remaining malicious processes, then prioritize restoration from verified clean backups. If backups are not available, recovery efforts may use the supplied decryption keys together with the embedded RC4 footer to attempt file restoration. Relevant indicators should be shared with threat intelligence teams, and the associated Tor onion infrastructure and any linked command-and-control assets should be blocked.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef process fill:#c2f0c2 classDef tool fill:#cccccc classDef malware fill:#ffb3b3 classDef operator fill:#ff9900 %% Nodes action_initial_execution["<b>Action</b> – <b>T1059 Command-Line Execution</b>: Ransomware launched with commandu2011line arguments controlling logging, encryption algorithm selection, thread count, background mode, mutex handling, ransomu2011note generation, process/service termination, ETW bypass, and eventu2011log clearing."] class action_initial_execution action op_and1(("AND")) class op_and1 operator tech_T1059["<b>Technique</b> – T1059: Commandu2011Line Interface. Executes programs via commandu2011line arguments."] class tech_T1059 technique tech_T1027["<b>Technique</b> – T1027: Obfuscated Files or Information. Uses doubleu2011Base64 encoding, RC4u2011encrypted footer, and dynamic resolution of NT APIs to avoid static detection."] class tech_T1027 technique tech_T1490["<b>Technique</b> – T1490: Inhibit System Recovery. Deletes all Volume Shadow Copy snapshots via vssadmin.exe."] class tech_T1490 technique tech_T1070_001["<b>Technique</b> – T1070.001: Clear Windows Event Logs. Utilises wevtapi.dll to clear all eventu2011log channels."] class tech_T1070_001 technique tech_T1070["<b>Technique</b> – T1070: Indicator Removal on Host (ETW Bypass). Patches ETW functions in memory to suppress event tracing."] class tech_T1070 technique tech_T1486["<b>Technique</b> – T1486: Data Encrypted for Impact. Generates peru2011file ChaCha20 keys via Curve25519 ECDH, encrypts files in 1u202fMB chunks, appends .payload extension and adds an RC4u2011encrypted footer containing victim public key and nonce."] class tech_T1486 technique tech_T1489["<b>Technique</b> – T1489: Service Stop. Terminates backup, database, security services and processes such as sql.exe and firefox.exe."] class tech_T1489 technique tech_T1564_012["<b>Technique</b> – T1564.012: Exclude Files/Directories. Skips encryption of system, browser and recovery directories and files."] class tech_T1564_012 technique process_vssadmin["<b>Process</b> – vssadmin.exe: Deletes shadow copies to remove recovery points."] class process_vssadmin process process_wevtapi["<b>Process</b> – wevtapi.dll: Clears Windows Event Log channels."] class process_wevtapi process process_etw["<b>Process</b> – ETW Bypass Module: Patches ETW functions to suppress tracing."] class process_etw process process_termination["<b>Process</b> – Service/Process Termination: Kills sql.exe, firefox.exe and other backup, database and security services."] class process_termination process malware_ransomware["<b>Malware</b> – Ransomware Payload: Performs encryption, ransomu2011note generation and cleanup activities."] class malware_ransomware malware %% Connections action_initial_execution –>|leads_to| op_and1 op_and1 –>|uses| tech_T1059 op_and1 –>|uses| tech_T1027 op_and1 –>|uses| tech_T1490 op_and1 –>|uses| tech_T1070_001 op_and1 –>|uses| tech_T1070 op_and1 –>|uses| tech_T1486 op_and1 –>|uses| tech_T1489 op_and1 –>|uses| tech_T1564_012 tech_T1490 –>|executes| process_vssadmin tech_T1070_001 –>|executes| process_wevtapi tech_T1070 –>|executes| process_etw tech_T1486 –>|implemented_by| malware_ransomware tech_T1489 –>|executes| process_termination "
Attack Flow
Detections
Suspicious VSSADMIN Activity (via cmdline)
View
IOCs (HashSha256) to detect: Behind .payload: In-Depth Technical Analysis of Payload Ransomware
View
IOCs (HashSha1) to detect: Behind .payload: In-Depth Technical Analysis of Payload Ransomware
View
IOCs (HashMd5) to detect: Behind .payload: In-Depth Technical Analysis of Payload Ransomware
View
Detection of Payload Ransomware Activity [Windows File Event]
View
Detection of Payload Ransomware Activity [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Shadow‑Copy Deletion (T1561.001): The attacker runs a silent VSS delete command to erase all previous restore points, preventing victims from recovering encrypted files.
- Mutex Creation (T1203 – indirect): Payload creates a global mutex named “MakeAmericaGreatAgain” to ensure only one instance runs.
- Process Termination (T1203): The ransomware terminates security‑related processes using the
TerminateProcessAPI. - ETW Bypass (T1562.001): The attacker launches a child process with the
--bypass-etwflag to silence Event Tracing for Windows.
All four actions are executed via a single PowerShell script that invokes
cmd.exe /cwith the exact strings the Sigma rule searches for. -
Regression Test Script:
# PayloadRansomwareSimulation.ps1 # Purpose: Generate exactly the command‑line strings the Sigma rule matches. # 1. Delete all VSS shadow copies (quiet) $vssCmd = 'cmd.exe /c vssadmin.exe delete shadows /all /quiet' Write-Host "Executing VSS delete..." Invoke-Expression $vssCmd # 2. Create a global mutex named "MakeAmericaGreatAgain" $mutexName = 'MakeAmericaGreatAgain' $mutex = New-Object System.Threading.Mutex($false, $mutexName) if ($mutex.WaitOne(0)) { Write-Host "Mutex [$mutexName] created." } # 3. Terminate a dummy process (e.g., notepad) to simulate process termination Start-Process notepad Start-Sleep -Seconds 2 $proc = Get-Process -Name notepad -ErrorAction SilentlyContinue if ($proc) { $terminateCmd = "cmd.exe /c taskkill /PID $($proc.Id) /F" Write-Host "Terminating process with command: $terminateCmd" Invoke-Expression $terminateCmd } # 4. Launch a benign process with ETW bypass flag $etwBypassCmd = 'cmd.exe /c powershell.exe -NoProfile -WindowStyle Hidden --bypass-etw' Write-Host "Launching ETW bypass process..." Invoke-Expression $etwBypassCmd Write-Host "Simulation complete. All indicator strings should now be present in Sysmon logs." -
Cleanup Commands:
# CleanupPayloadRansomwareSimulation.ps1 # Release the mutex $mutexName = 'MakeAmericaGreatAgain' $mutex = [System.Threading.Mutex]::OpenExisting($mutexName) -ErrorAction SilentlyContinue if ($null -ne $mutex) { $mutex.ReleaseMutex() $mutex.Close() Write-Host "Mutex [$mutexName] released." } # Ensure no leftover notepad processes Get-Process -Name notepad -ErrorAction SilentlyContinue | Stop-Process -Force # No additional cleanup needed for VSS delete (cannot be undone) – note that this is destructive and should only run in an isolated lab. Write-Host "Cleanup complete."
End of Report