Payload Propose Change

According to EG-FinCIRT, Payload is a cross-platform ransomware family with native compiled binaries for Windows and Linux/ESXi, exposing rich command-line options that let operators tune targeting, performance, and anti-forensic behavior. The Windows variant aggressively prepares the system by deleting recovery points, stopping key services and processes, wiping or bypassing logging mechanisms, and optionally hiding and self-deleting its executable while running encryption in the background. Its core uses an offline hybrid cryptosystem combining Curve25519 key exchange with optimized ChaCha20 (using CPU feature detection and multithreading, plus partial encryption for large files) and appends an obfuscated metadata footer needed for decryption. The Linux/ESXi variant is a small stripped ELF binary that parses virtual machine inventory data to locate and encrypt VM disk files, focusing on efficient disruption of virtualized workloads with fewer ancillary features than the Windows version.

References

There is no Yara-Signature yet.