payload
Known ransomware group ACTIVE Currently active
Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems with cross-platform double-extortion attacks against healthcare, energy, real estate, and agriculture sectors, claiming 12 victims across seven countries within hours of launching its leak site.
9
Total Claims
1
Critical
—
Records Claimed
8
Industries Hit
Active span: Apr 16, 2026 – May 21, 2026 · 9 organizations targeted
Currently active
Actor Threat Profile
Activity Timeline
Peak: Apr 2026 (7)Apr 2026
LessMore
May 2026Share this profile
Top Targeted Industries
Education 2
Healthcare 1
Public Sector 1
Business Services 1
Manufacturing 1
Agriculture and Food Production 1
Tradecraft & Infrastructure
0
Documented tools
5 / 11
MITRE tactics / techniques
2
Known leak sites
Targeted Organizations
Claims by payload
Critical
Ransomware Claim: Internal Medicine and Pediatrics of Cullman
Internal Medicine and Pediatrics of Cullman
payload
Ransomware Healthcare
May 21, 2026 Low
Ransomware Claim: Gorey Community School
Gorey Community School
payload
Ransomware Education
May 14, 2026 Low
Ransomware Claim: Rural Municipality of Gimli
Rural Municipality of Gimli
payload
Ransomware Public Sector
Apr 27, 2026 Low
Ransomware Claim: Peroni Sosa Tellechea Burt & Narvaja
Peroni Sosa Tellechea Burt & Narvaja
payload
Ransomware Business Services
Apr 24, 2026 Low
Ransomware Claim: Franziskusschule Wilhelmshaven
Franziskusschule Wilhelmshaven
payload
Ransomware Education
Apr 17, 2026 Low
Ransomware Claim: orientalweavers.com
orientalweavers.com
payload
Ransomware Manufacturing
Apr 17, 2026 Low
Ransomware Claim: Marino Food Products Pvt
Marino Food Products Pvt
payload
Ransomware Agriculture and Food Production
Apr 17, 2026 Low
Ransomware Claim: Sunlight Express Airways
Sunlight Express Airways
payload
Ransomware Transportation/Logistics
Apr 17, 2026 Low
Ransomware Claim: TFE Group
TFE Group
payload
Ransomware Consumer Services
Apr 17, 2026