Ransomware Uses ChaCha20 and Curve25519 to Encrypt Windows Files

Payload is a newly public Windows ransomware family that uses per-file Curve25519 ECDH to derive ChaCha20 keys and appends RC4-encrypted footers, making encrypted data unrecoverable without the attackers' private key; it also includes aggressive anti-forensics (ETW patching, VSS deletion, event-log wiping) and process/service termination. First observed in Feb 2026 with a global double-extortion leak site and dozens of victims across multiple sectors (notably logistics and real estate), the group pressures victims via Tor-based negotiation sites and explicit timing threats.