New Payload ransomware targets Windows and ESXi with Babuk-style code and anti-forensics
5 min. read 
Published on
A new ransomware operation called Payload is targeting both Windows and VMware ESXi environments, and early analysis suggests it borrows heavily from the leaked Babuk codebase while adding newer anti-forensic tricks. Researchers say the malware has been active since at least February 17, 2026, and the group quickly moved into a double-extortion model that combines file encryption with data theft and leak-site pressure.
What makes Payload stand out is not just the Babuk link. Analysts say the operators replaced parts of the older ransomware logic with ChaCha20-based encryption, kept Curve25519-style key exchange, and added features designed to frustrate incident response on compromised systems. Public reporting on the analysis says the malware targets Windows and ESXi, wipes logs, interferes with Windows tracing, and can remove itself after execution.
The campaign already appears active on real-world targets. Reports say Payload has listed about a dozen victims across seven countries and claims to have stolen more than 2.6 TB of data. One of the most visible recent claims involved Royal Bahrain Hospital, which the group said it breached on March 15, 2026, with an alleged 110 GB of stolen data and a March 23 deadline. Those claims come from the gang’s own leak-site postings and should be treated as attacker assertions unless independently confirmed.
What researchers found
Security reporting tied to the reverse-engineering work says the Windows sample triggered Babuk detections on VirusTotal, which is one reason researchers linked it to the leaked Babuk source code published in 2021. That does not automatically prove the same operators are behind Babuk, but it does fit a broader trend. SentinelOne previously documented multiple ransomware families reusing the Babuk ESXi locker code after the leak, especially for Linux and VMware-focused attacks.
Payload also appears built for speed and operational efficiency. Reports on the malware say it uses partial encryption for very large files, encrypting selected chunks rather than every byte, which helps attackers move faster across large storage volumes. That is especially relevant for ESXi and other server-heavy environments where ransomware operators want to lock as much data as possible before defenders can respond.
The malware’s anti-forensic behavior raises the risk further. Public write-ups say Payload patches Windows event tracing functions in ntdll.dll, wipes Windows event logs after encryption, deletes shadow copies, and uses a mutex called MakeAmericaGreatAgain to prevent duplicate runs on the same host. It also reportedly appends the .payload extension to encrypted files.
Payload ransomware at a glance
| Detail | Reported information |
|---|---|
| Malware name | Payload ransomware |
| Main targets | Windows and VMware ESXi systems |
| Suspected code lineage | Babuk-inspired or Babuk-derived code reuse |
| Encryption approach | ChaCha20 with Curve25519-style key exchange, according to public analysis summaries |
| Extortion model | Double extortion with data theft and Tor leak-site pressure |
| Host indicators | .payload extension and MakeAmericaGreatAgain mutex |
| Example victim claim | Royal Bahrain Hospital, claimed on March 15, 2026 |
Why this matters for defenders
Payload fits a pattern defenders have seen before. Once Babuk’s source leaked, other groups started adapting it for new operations, especially against ESXi infrastructure. SentinelOne warned back in 2023 that leaked Babuk code was fueling a wave of hypervisor-focused ransomware, and Payload appears to be part of that longer aftershock.
The immediate concern is not attribution. It is speed. If the reported analysis is accurate, Payload can encrypt large systems quickly, disrupt Windows visibility, clear logs, and pressure victims with public leak-site deadlines. That combination makes recovery harder and shortens the response window for security teams.
What organizations should do now
- Prioritize immutable, offline backups and test restoration regularly. Public reporting says Payload targets backup-related services and uses standard ransomware cleanup behavior after execution.
- Monitor for suspicious use of
vssadmin, event-log clearing, unusualntdll.dllpatching behavior, and files renamed with the.payloadextension. - Harden ESXi and other virtualization infrastructure because Babuk-derived lockers have repeatedly focused on hypervisors and Linux-based server environments.
- Treat any leak-site claim as a possible breach, but verify independently before accepting the attackers’ timeline or stolen-data totals as fact.
FAQ
Payload is a newly reported ransomware strain that targets Windows and VMware ESXi systems and appears to reuse ideas or code linked to the leaked Babuk ransomware source.
Yes. Current reporting says the group steals data before encryption and then threatens to publish it on a Tor leak site if the victim does not negotiate.
Researchers have described it as Babuk-style or Babuk-inspired, and reporting says the sample drew Babuk detections on VirusTotal. That suggests code reuse, but it does not prove the original Babuk operators are involved.
ESXi hosts often sit at the center of virtualized infrastructure. A successful hit there can impact many workloads at once, which is why Babuk-derived lockers and other ransomware families have repeatedly targeted them.
Public reporting points to the .payload file extension and the MakeAmericaGreatAgain mutex as two notable host indicators.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages