A new ransomware threat, dubbed Payouts King, has emerged and is exhibiting tactics strongly linked to former affiliates of the now-defunct BlackBasta ransomware group. Since its appearance in April 2025, Payouts King has been conducting targeted attacks that combine aggressive data exfiltration with selective file encryption, operating with a low profile while demonstrating sophisticated capabilities.
BlackBasta was a significant player in the ransomware landscape, active from February 2022 until its collapse in February 2025 following a public leak of its internal communications. Research by Zscaler ThreatLabz indicates that many former BlackBasta affiliates have transitioned to new ransomware families, including Cactus and, more recently, Payouts King. Analysts have observed ransomware activity mirroring BlackBasta’s initial access methods since early 2026, with high confidence attributing several attacks to Payouts King.
Payouts King Employs BlackBasta’s Proven Attack Vectors
The operational resemblance to BlackBasta is striking, with Payouts King leveraging similar techniques, tactics, and procedures (TTPs). This includes a multi-stage approach starting with “spam bombing” to inundify victims with malicious emails. This is often followed by direct social engineering over Microsoft Teams, where threat actors impersonate IT support staff. Victims are then tricked into granting remote access to their systems, frequently through the legitimate Windows tool Quick Assist.
Once inside a compromised network, Payouts King deploys its ransomware payload. A critical component of their strategy involves the theft of large volumes of sensitive data before the encryption process begins. The group operates a dedicated data leak site on the Tor network, used as leverage to pressure victims into payment by threatening the public release of exfiltrated information.
The ransom note, typically named “readme_locker.txt,” directs victims to communicate with the attackers via the TOX messaging platform. This method is consistent with previous ransomware operations that sought to maintain a degree of anonymity and control over communication channels.
Technical Sophistication of Payouts King Ransomware
The Payouts King ransomware employs robust encryption mechanisms, utilizing 4,096-bit RSA and 256-bit AES encryption in counter mode to render victim files inaccessible. Each file is encrypted with a unique pseudorandom key and initialization vector. The encryption parameters are compiled into a structured 487-byte format, identifiable by the starting “CRPT” magic bytes. For efficiency, particularly with larger files exceeding 10MB, the ransomware implements partial encryption, dividing files into 13 blocks and encrypting only portions of each block. This technique is a common optimization in modern ransomware to accelerate the encryption process and reduce the time required for an attack.
How Payouts King Avoids Detection
Payouts King has been engineered with evasion as a primary design goal. It incorporates multiple obfuscation techniques to thwart security tools. These include stack-based string encryption, dynamic resolution of Windows API functions through hashing, and a custom CRC checksum algorithm with a specific polynomial value (0xBDC65592). These methods are effective in compromising precomputed hash tables that security analysts frequently use for malware reverse engineering, significantly complicating static analysis.
The ransomware also features a unique anti-sandbox mechanism. It is programmed to refuse the encryption of files unless a specific identity parameter is provided via the command line, and a matching CRC checksum is calculated. This prevents the malware from executing in automated sandbox environments commonly used by antivirus vendors for analysis.
To further bypass endpoint security, Payouts King utilizes low-level direct system calls instead of standard Windows API calls when terminating active security processes. It constructs a runtime table of system call numbers by analyzing the ntdll module’s export table, specifically targeting processes associated with a hardcoded list of 131 antivirus and endpoint detection and response (EDR) applications. Following successful file encryption, the Payouts King ransomware proceeds to delete Windows shadow copies, empty the recycle bin, and clear Windows event logs to hinder forensic investigations.
Organizations seeking to defend against Payouts King and similar emergent threats should prioritize comprehensive employee training on recognizing social engineering tactics, such as mass email campaigns and deceptive IT support communications. Implementing multi-factor authentication across all accounts, strictly controlling the use of remote access tools like Quick Assist to authorized IT personnel, and deploying behavioral-based endpoint detection solutions are also critical mitigation strategies. Proactive threat hunting and continuous updates to security infrastructure remain essential as ransomware groups like Payouts King continuously evolve their methods.