Pierluigi Paganini
March 15, 2026
The Payload Ransomware group claims to have hacked the Royal Bahrain Hospital (RBH) and stolen 110 GB of data. The ransomware gang added the healthcare facility to its Tor data leak site and published the images of allegedly hacked systems as proof of the attack.
The group is threatening to release the stolen data if the ransom is not paid by March 23.
Royal Bahrain Hospital, founded in 2011, is a healthcare facility with 70 beds offering inpatient and outpatient services, including surgery, maternity care, and diagnostics. It serves patients from Bahrain and neighboring countries such as Oman, Qatar, Saudi Arabia, and the United Arab Emirates.
Payload ransomware is a relatively new cybercrime operation using a double-extortion model that combines data theft and file encryption to pressure victims. The group has targeted mid- to large-size companies in sectors such as real estate and logistics, mainly in emerging markets. Technically, the ransomware uses ChaCha20 for file encryption and Curve25519 for key exchange, while deleting shadow copies and disabling security tools.
Like many modern crews, Payload likely operates as a ransomware-as-a-service scheme and runs a Tor leak site to publish data from non-paying victims.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Royal Bahrain Hospital data breach)
