Payload — Technical Analysis / Esxi

1. anti_debug_check_tracerpid()         → exit if debugged
2. check_instance_lock()                → exit if already running
3. init_ransom_note()                   → decrypt & write ransom note
4. cpuid_check_avx()                    → select crypto implementation
   - bit 2 (AVX2): use ChaCha20 (sub_4032E6)
   - bit 0 (SSE2): use Salsa20 (sub_402F85)
5. thpool_init(2 * sysconf(_SC_NPROCESSORS_ONLN))
6. Parse -i argument: comma-separated VM IDs to skip
7. RC4 decrypt "/etc/vmware/hostd/vmInventory.xml"
8. xmlReadFile(inventory_path)
9. xmlXPathEvalExpression("//ConfigEntry")
10. For each ConfigEntry:
    a. Extract "objID" → VM numeric ID
    b. Extract "vmxCfgPath" → path to VM's .vmx file
    c. Skip if ID is in -i exclusion list
    d. Extract directory from vmxCfgPath (parent dir = VM datastore)
    e. walk_directory_encrypt(vm_directory)
11. Cleanup: free XML, destroy thread pool

walk_directory_encrypt(dir_path)
├── opendir / readdir64
├── For each regular file:
│   ├── Skip if already has extension (.xx0001)
│   └── thpool_add_work(encrypt_file, filepath)
└── closedir

encrypt_file(filepath)
├── fopen64(filepath, "rb+")
├── flock(fd, LOCK_EX)
├── Check filesize > 5 GB (0x140000000) — skip smaller files
├── generate_random_32bytes() → ephemeral private key (clamped for Curve25519)
├── generate_random_32bytes() → nonce
├── x25519_dh(ephemeral_priv, note_pubkey) → shared secret for note
├── x25519_dh(ephemeral_priv, master_pubkey) → shared secret for encryption
├── Init stream cipher (Salsa20 or ChaCha20) with shared secret + nonce
├── Split file into 5 equal parts
│   └── For each part: encrypt 1 GB (0x40000000) in 1 MB chunks
│       ├── fseeko64 to offset
│       ├── fread → cipher XOR → fwrite (in-place)
│       └── Advance to next 1/5th of file
├── Write "payload" marker (7 bytes)
├── RC4-encrypt metadata (56 bytes: ephemeral pubkey + nonce)
├── Append encrypted metadata to end of file
├── fflush + fclose
└── rename(filepath, filepath + ".xx0001")

[original file data (partially encrypted)]
["payload" marker — 7 bytes]
[RC4-encrypted metadata — 56 bytes: ephemeral X25519 public key (32B) + nonce (24B)]

Welcome to Payload!

The next 72 hours will determine certain factors in the life of your company: 
the publication of the file tree, which we have done safely and unnoticed 
by all of you, and the publication of your company's full name on our 
luxurious blog.
NONE of this will happen if you contact us within this time frame and our 
negotiations are favorable.

We are giving you 240 hours to:
1. familiarize yourself with our terms and conditions,
2. begin negotiations with us,
3. and successfully conclude them.
The timer may be extended if we deem it necessary (only in the upward direction).
Once the timer expires, all your information will be posted on our blog.

ATTENTION!
Contacting authorities, recovery agencies, etc. WILL NOT HELP YOU!
At best, you will waste your money and lose some of your files, which they 
will carefully take to restore!
You should also NOT turn off, restart, or put your computer to sleep.
In the future, such mistakes can make the situation more expensive and the 
files will not be restored!
We DO NOT recommend doing anything with the files, as this will make it 
difficult to recover them later!

When contacting us:
you can request up to 3 files from the file tree, 
you can request up to 3 encrypted files up to 15 megabytes 
so that we can decrypt them and you understand that we can do it.

First, you should install Tor Browser:
1. Open: https://www.torproject.org/download
2. Choose your OS and select it
3. Run installer
4. Enjoy!

In countries where tor is prohibited, we recommend using bridges, 
which you can take: https://bridges.torproject.org/

You can read:
http://payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd.onion (Tor)

To start negotiations, go to:
http://payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd.onion

User: [SNIP]
Password: [SNIP]

Your ID to verify: [SNIP]