Payouts King Ransomware Evades EDR via Obfusc With Obfuscation

The Payouts King ransomware group has quietly built a reputation since its emergence in April 2025.

While it spent most of last year flying under the radar, early 2026 brought a noticeable spike in activity tied to former affiliates of the now-defunct BlackBasta operation.

The group targets organizations through well-worn but effective tactics, stealing large volumes of sensitive data before selectively encrypting files on compromised systems.

BlackBasta, which had operated as a successor to the notorious Conti ransomware group since February 2022, collapsed in February 2025 after its internal chat logs were leaked online.

That exposure forced the group to disband, but it did not stop the individuals behind the attacks. Many of its former affiliates simply carried on under different banners, deploying other ransomware families like Cactus and, more recently, aligning with Payouts King.

Zscaler identified these attacks and published a report shared with Cyber Security News (CSN) confirming they could attribute some of this renewed activity to the Payouts King ransomware group with high confidence.

The researchers noted that attack patterns closely matched those seen in previous BlackBasta campaigns, including the same social engineering playbook.

The initial infection typically begins with spam bombing, where the attacker floods a target’s inbox with large volumes of junk email.

They then impersonate an IT support employee, reaching out via Microsoft Teams and convincing the victim to initiate a Quick Assist session.

Once access is granted, the attacker drops malware on the system, quietly establishing a foothold inside the organization’s network.

From there, Payouts King moves quickly. It attempts to gain full system-level privileges, deletes Windows shadow copies to block recovery, clears event logs to slow forensic investigations, and empties the recycle bin before starting encryption.

The group also operates a dark web data leak site, adding pressure on victims to pay by threatening to publish stolen information.

Payouts King Ransomware Evades EDR

One of the most notable aspects of this ransomware is how aggressively it works to avoid detection. It builds and decrypts strings on the fly rather than storing them as readable text, making static analysis much harder.

It also resolves Windows functions using hash values instead of plain names, and applies a custom checksum algorithm with a unique seed per value, defeating tools that rely on pre-built hash tables to identify malware.

When a file cannot be opened for encryption since a security tool has locked it, the ransomware scans all running processes and checks them against a list of 131 known antivirus and endpoint detection software processes.

Rather than using standard Windows API calls to terminate these tools, it uses direct system calls that bypass the hooks most endpoint detection products depend on to catch suspicious activity.

Encryption Design and Defense Evasion

Payouts King uses 4,096-bit RSA combined with 256-bit AES in counter mode for encryption, with a statically linked OpenSSL library embedded in the malware.

Files under 10MB are fully encrypted, while larger files are split into 13 blocks with only half of each encrypted, a method designed to speed up attacks without reducing their impact.

The ransomware avoids calling standard Windows file rename functions after encryption, instead using a lower-level call that most security tools do not monitor.

Encrypted files receive the extension .ZWIAAW, and the ransom note named readme_locker.txt is only dropped when a specific command-line flag is provided at runtime, making automated sandbox analysis considerably harder.

To defend against threats like this, organizations should prioritize user awareness training focused on spotting fake tech support requests over platforms like Microsoft Teams.

Enforcing multi-factor authentication across all accounts and closely monitoring for unusual use of remote access tools like Quick Assist are also critical.

Security teams should also invest in proactive threat hunting rather than relying entirely on automated detection to catch advanced threats like Payouts King.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.