Payouts King Takes Aim at the Ransomware Throne

Payouts King is a ransomware family that emerged in April 2025 and is attributed to former BlackBasta affiliates, using social-engineering (spam bombing, phishing, vishing) and misuse of Microsoft Teams/Quick Assist to gain initial access. The malware employs extensive obfuscation, direct system calls to evade EDR, scheduled-task persistence, and 4096-bit RSA + AES-256-CTR for selective file encryption. #PayoutsKing #BlackBasta

Keypoints

Payouts King surfaced in April 2025 and is linked with former BlackBasta affiliates; attacks observed since early 2026 follow similar TTPs to prior campaigns.
Initial access frequently uses spam bombing combined with impersonation, Microsoft Teams, and Quick Assist to trick victims into providing remote access.
The ransomware uses multiple obfuscation and evasion techniques: stack-based string construction, FNV1 hashing with unique seeds, a custom CRC algorithm, and API resolution by hash.
Payouts King supports obfuscated command-line parameters (CRC-checked), scheduled-task persistence (MozillaUpdateTask and ElevateTask), and privilege elevation to run as SYSTEM.
File encryption uses per-file pseudorandom AES-256-CTR keys with RSA-4096 to protect encryption parameters; large files are partially encrypted (13-block scheme) for performance.
The malware attempts to terminate security products via direct system calls (resolved from ntdll exports), deletes shadow copies, empties recycle bin, and clears event logs to hinder recovery and forensics.

MITRE Techniques

[T1566 ] Phishing – Spam bombing, phishing, and vishing were used to trick victims into joining Teams/Quick Assist: (‘The technique of spam bombing combined with phishing and vishing continues to be an effective technique’).
[T1021 ] Remote Services – Adversaries abused Microsoft Teams and Quick Assist to obtain remote control and deploy malware: (‘The victim is instructed to join a Microsoft Teams call and initiate Quick Assist’).
[T1053 ] Scheduled Task/Job – Persistence and elevation are established via schtasks to create ONSTART tasks and run as SYSTEM: (‘schtasks.exe /s “localhost” /ru “SYSTEM” /create /f /sc ONSTART /TN MozillaUpdateTask /TR “”‘).
[T1027 ] Obfuscated Files or Information – Extensive string and API obfuscation (stack-based QWORD strings, FNV1 hashes, custom CRC) is used to evade detection: (‘Payouts King implements several common obfuscation methods such as building and decrypting strings on the stack, importing and resolving Windows API functions by hash’).
[T1057 ] Process Discovery – The ransomware enumerates running processes and computes checksums of process names to identify security-related processes for termination: (‘the ransomware will enumerate the running processes and compute a checksum value for each process name and compare the result against a list of 131 hardcoded DWORD checksum values’).
[T1070.001 ] Clear Windows Event Logs – The backdoor clears Windows event logs to hinder forensic analysis: (‘clears the Windows event logs using EvtClearLog (to hinder forensic analysis)’).
[T1490 ] Inhibit System Recovery – The malware deletes shadow copies and empties the recycle bin to prevent recovery: (‘Payouts King deletes Windows shadow copies with vssadmin.exe delete shadows /all /quiet … empties the recycle bin via SHEmptyRecycleBinW’).
[T1486 ] Data Encrypted for Impact – Files are encrypted with AES-256-CTR and RSA-4096-wrapped parameters to render data unavailable and demand ransom: (‘Payouts King ransomware uses a combination of 4,096-bit RSA and 256-bit AES in counter (CTR) mode’).

Indicators of Compromise

[File Hashes ] Payouts King samples – 335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4, d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2
[File Names ] Ransom note and sample filenames observed – readme_locker.txt (ransom note), W64/Payoutsking-ZRaa!Eldorado (detection name / sample label)
[File Extensions ] Encrypted and backup extensions used by the ransomware – .ZWIAAW (encrypted file extension), .esVnyj (temporary backup extension)
[Scheduled Tasks ] Persistence artifacts – MozillaUpdateTask (startup persistence), MozillaElevateTask (elevation task used to run as SYSTEM)
[Process Names ] Security/EDR processes targeted for termination – avastsvc.exe, sentinelservicehost.exe (and many other AV/EDR process names listed in the Appendix)
[File Extensions List ] Types targeted for full encryption – examples include .mdb, .sql, .xml (full list of many database and document extensions provided in Appendix)