New Ransomware ‘Payouts King’ Linked to Former BlackBasta Affiliates
Key Takeaways A new ransomware group, Payouts King, has emerged as a successor to the defunct BlackBasta operation, active since April 2025. The group employs sophisticated social engineering...
Key Takeaways
- A new ransomware group, Payouts King, has emerged as a successor to the defunct BlackBasta operation, active since April 2025.
- The group employs sophisticated social engineering tactics, including spam bombing and Microsoft Teams-based impersonation, to gain initial access.
- Payouts King utilizes strong encryption (RSA 4096-bit, AES 256-bit), exfiltrates data, and employs advanced anti-analysis techniques to evade detection.
- Former BlackBasta affiliates are believed to be behind Payouts King, continuing their criminal activities under a new banner.
Ransomware’s New Apex Predator: Payouts King Emerges from BlackBasta’s Shadow
A new and formidable ransomware entity, dubbed Payouts King, has surfaced, quickly establishing itself as a significant threat in the cybersecurity landscape. This group is believed to be a direct continuation of the now-disbanded BlackBasta operation, effectively inheriting its predecessor’s aggressive tactics and technical prowess.
Table Of Content
Since its initial appearance in April 2025, Payouts King has maintained a low profile while executing precise, targeted attacks. The group’s methodology combines extensive data theft with selective file encryption, a dual threat model designed to maximize pressure on victims.
From Conti to Payouts King: A Legacy of Cybercrime
BlackBasta, which commenced operations in February 2022, quickly rose to prominence as one of the most active ransomware gangs, itself a successor to the infamous Conti ransomware. For nearly three years, BlackBasta maintained a relentless pace until its abrupt collapse in February 2025, triggered by a public leak of its internal chat logs that exposed its members and inner workings.
The dissolution of BlackBasta, however, did not signify the end of its affiliates’ activities. Instead, these experienced threat actors reportedly re-organized, continuing their illicit operations under new ransomware families, including Cactus, and now, most notably, Payouts King.
Analysts at Zscaler ThreatLabz identified ransomware activity consistent with former BlackBasta initial access brokers beginning in early 2026. Their research confidently attributes several of these attacks to Payouts King. The Zscaler team observed a strong correlation in the techniques, tactics, and procedures (TTPs) employed, particularly the combination of spam bombing, social engineering via Microsoft Teams, and the exploitation of the legitimate Windows utility Quick Assist.
Ingenious Initial Access and Execution
Payouts King initiates its attacks by inundating victims with spam emails. This is followed by a threat actor impersonating an IT support staff member, who then manipulates the victim into granting remote access during a Microsoft Teams call. Once a foothold is established within the victim’s network, Payouts King deploys its ransomware payload, exfiltrates substantial volumes of sensitive data, and then proceeds with the selective encryption of files.
The group operates a dedicated data leak site on the Tor network, serving as a coercive tool to pressure victims into paying the ransom by threatening to release their stolen information publicly. Victims discover a ransom note, typically named “readme_locker.txt,” placed on their desktop, which provides contact instructions through the TOX messaging platform.
Technically, the Payouts King ransomware is sophisticated, employing a robust encryption scheme that combines 4,096-bit RSA with 256-bit AES in counter mode to secure victim files. Each file is encrypted with a pseudorandomly generated key and initialization vector, with the encryption parameters stored in a structured 487-byte format that commences with the distinct magic bytes “CRPT.” For larger files exceeding 10MB, Payouts King optimizes its attack speed by dividing the file into 13 blocks and only partially encrypting each block, a common performance enhancement observed in contemporary ransomware operations.
How Payouts King Evades Detection
Payouts King has been engineered with a strong emphasis on evading security mechanisms. It incorporates multiple obfuscation techniques, including stack-based string encryption, resolution of Windows API functions via hashing, and a custom CRC checksum algorithm utilizing a polynomial value of 0xBDC65592. These methods are designed to counteract precomputed hash tables frequently used by security analysts for rapid malware reverse-engineering, making static analysis considerably more challenging.
The ransomware also features a unique anti-sandbox mechanism. It is configured to refuse file encryption unless a specific identity parameter is supplied on the command line, and the CRC checksum of this value must align with an expected result. This effectively prevents the malware from executing its full payload within automated sandbox environments used by antivirus vendors.
To further thwart endpoint security tools, Payouts King employs low-level direct system calls instead of standard Windows API calls when terminating active security processes. It dynamically constructs a runtime table of system call numbers by traversing the ntdll module’s export table, specifically targeting processes associated with a hardcoded list of 131 antivirus and EDR applications. Following file encryption, the ransomware meticulously deletes Windows shadow copies, empties the recycle bin, and clears Windows event logs to obstruct forensic investigations.
What You Should Do
- Employee Training: Conduct regular training for employees to recognize sophisticated social engineering tactics, including spam bombing and impersonation attempts via communication platforms like Microsoft Teams.
- Multi-Factor Authentication (MFA): Enforce MFA across all critical systems and accounts to add an essential layer of security against unauthorized access.
- Restrict Remote Access Tools: Limit the use of remote access tools such as Quick Assist strictly to verified IT personnel and establish clear protocols for their use.
- Behavior-Based Endpoint Detection: Implement and maintain behavior-based Endpoint Detection and Response (EDR) solutions to identify and block suspicious activities indicative of ransomware.
- Proactive Threat Hunting: Engage in proactive threat hunting and continuously update security controls to adapt to evolving ransomware methodologies and TTPs.
- Regular Backups: Maintain regular, isolated, and tested backups of all critical data to facilitate recovery in the event of a successful ransomware attack.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.