Malware
Payload
According to EG-FinCIRT, Payload is a cross-platform ransomware family with native compiled binaries for Windows and Linux/ESXi, exposing rich command-line options that let operators tune targeting, p
Payload is a Windows malware family.
Background
As described by EG-FinCIRT, Payload is a ransomware family shipped as natively compiled binaries for both Windows and Linux/ESXi, with an extensive set of command-line switches that operators can use to adjust which targets are hit, how fast encryption runs, and how the malware covers its tracks. On Windows it primes the host by removing recovery points, terminating relevant services and processes, disabling or evading logging, and optionally concealing and deleting its own executable while encrypting in the background. The encryption engine relies on an offline hybrid scheme that pairs Curve25519 key exchange with a tuned ChaCha20 implementation (leveraging CPU feature detection and multithreading, and partially encrypting large files), then writes an obfuscated metadata trailer required for recovery. The Linux/ESXi build is a compact, stripped ELF that reads virtual machine inventory information to find and encrypt VM disk files, prioritizing fast disruption of virtualized environments and carrying fewer extra capabilities than its Windows counterpart.
Source: Malpedia (Fraunhofer FKIE).