Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
OpenAI Introduces GPT-4o and ChatGPT-4o, Its New Flagship AI Models
July 10, 2026
ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
July 9, 2026
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
July 9, 2026
Home/Threats/New Ransomware ‘Payouts King’ Linked to Former BlackBasta Affiliates
Threats

New Ransomware ‘Payouts King’ Linked to Former BlackBasta Affiliates

Key Takeaways A new ransomware group, Payouts King, has emerged as a successor to the defunct BlackBasta operation, active since April 2025. The group employs sophisticated social engineering...

Sarah simpson
Sarah simpson
April 17, 2026 4 Min Read
42 0

Key Takeaways

  • A new ransomware group, Payouts King, has emerged as a successor to the defunct BlackBasta operation, active since April 2025.
  • The group employs sophisticated social engineering tactics, including spam bombing and Microsoft Teams-based impersonation, to gain initial access.
  • Payouts King utilizes strong encryption (RSA 4096-bit, AES 256-bit), exfiltrates data, and employs advanced anti-analysis techniques to evade detection.
  • Former BlackBasta affiliates are believed to be behind Payouts King, continuing their criminal activities under a new banner.

Ransomware’s New Apex Predator: Payouts King Emerges from BlackBasta’s Shadow

A new and formidable ransomware entity, dubbed Payouts King, has surfaced, quickly establishing itself as a significant threat in the cybersecurity landscape. This group is believed to be a direct continuation of the now-disbanded BlackBasta operation, effectively inheriting its predecessor’s aggressive tactics and technical prowess.

Table Of Content

  • Key Takeaways
  • Ransomware’s New Apex Predator: Payouts King Emerges from BlackBasta’s Shadow
  • From Conti to Payouts King: A Legacy of Cybercrime
  • Ingenious Initial Access and Execution
  • How Payouts King Evades Detection
  • What You Should Do

Since its initial appearance in April 2025, Payouts King has maintained a low profile while executing precise, targeted attacks. The group’s methodology combines extensive data theft with selective file encryption, a dual threat model designed to maximize pressure on victims.

From Conti to Payouts King: A Legacy of Cybercrime

BlackBasta, which commenced operations in February 2022, quickly rose to prominence as one of the most active ransomware gangs, itself a successor to the infamous Conti ransomware. For nearly three years, BlackBasta maintained a relentless pace until its abrupt collapse in February 2025, triggered by a public leak of its internal chat logs that exposed its members and inner workings.

The dissolution of BlackBasta, however, did not signify the end of its affiliates’ activities. Instead, these experienced threat actors reportedly re-organized, continuing their illicit operations under new ransomware families, including Cactus, and now, most notably, Payouts King.

Analysts at Zscaler ThreatLabz identified ransomware activity consistent with former BlackBasta initial access brokers beginning in early 2026. Their research confidently attributes several of these attacks to Payouts King. The Zscaler team observed a strong correlation in the techniques, tactics, and procedures (TTPs) employed, particularly the combination of spam bombing, social engineering via Microsoft Teams, and the exploitation of the legitimate Windows utility Quick Assist.

Ingenious Initial Access and Execution

Payouts King initiates its attacks by inundating victims with spam emails. This is followed by a threat actor impersonating an IT support staff member, who then manipulates the victim into granting remote access during a Microsoft Teams call. Once a foothold is established within the victim’s network, Payouts King deploys its ransomware payload, exfiltrates substantial volumes of sensitive data, and then proceeds with the selective encryption of files.

The group operates a dedicated data leak site on the Tor network, serving as a coercive tool to pressure victims into paying the ransom by threatening to release their stolen information publicly. Victims discover a ransom note, typically named “readme_locker.txt,” placed on their desktop, which provides contact instructions through the TOX messaging platform.

Technically, the Payouts King ransomware is sophisticated, employing a robust encryption scheme that combines 4,096-bit RSA with 256-bit AES in counter mode to secure victim files. Each file is encrypted with a pseudorandomly generated key and initialization vector, with the encryption parameters stored in a structured 487-byte format that commences with the distinct magic bytes “CRPT.” For larger files exceeding 10MB, Payouts King optimizes its attack speed by dividing the file into 13 blocks and only partially encrypting each block, a common performance enhancement observed in contemporary ransomware operations.

How Payouts King Evades Detection

Payouts King has been engineered with a strong emphasis on evading security mechanisms. It incorporates multiple obfuscation techniques, including stack-based string encryption, resolution of Windows API functions via hashing, and a custom CRC checksum algorithm utilizing a polynomial value of 0xBDC65592. These methods are designed to counteract precomputed hash tables frequently used by security analysts for rapid malware reverse-engineering, making static analysis considerably more challenging.

The ransomware also features a unique anti-sandbox mechanism. It is configured to refuse file encryption unless a specific identity parameter is supplied on the command line, and the CRC checksum of this value must align with an expected result. This effectively prevents the malware from executing its full payload within automated sandbox environments used by antivirus vendors.

To further thwart endpoint security tools, Payouts King employs low-level direct system calls instead of standard Windows API calls when terminating active security processes. It dynamically constructs a runtime table of system call numbers by traversing the ntdll module’s export table, specifically targeting processes associated with a hardcoded list of 131 antivirus and EDR applications. Following file encryption, the ransomware meticulously deletes Windows shadow copies, empties the recycle bin, and clears Windows event logs to obstruct forensic investigations.

What You Should Do

  • Employee Training: Conduct regular training for employees to recognize sophisticated social engineering tactics, including spam bombing and impersonation attempts via communication platforms like Microsoft Teams.
  • Multi-Factor Authentication (MFA): Enforce MFA across all critical systems and accounts to add an essential layer of security against unauthorized access.
  • Restrict Remote Access Tools: Limit the use of remote access tools such as Quick Assist strictly to verified IT personnel and establish clear protocols for their use.
  • Behavior-Based Endpoint Detection: Implement and maintain behavior-based Endpoint Detection and Response (EDR) solutions to identify and block suspicious activities indicative of ransomware.
  • Proactive Threat Hunting: Engage in proactive threat hunting and continuously update security controls to adapt to evolving ransomware methodologies and TTPs.
  • Regular Backups: Maintain regular, isolated, and tested backups of all critical data to facilitate recovery in the event of a successful ransomware attack.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwareransomwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Windows Defender CVE-2023-XXXX Critical 0-Day Actively Exploited

Next Post

CISA Warns of Critical Apache ActiveMQ RCE Bug Exploited in Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI-Powered Attack Breaches AWS Cloud Environment in 72 Hours
July 9, 2026
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us