The post Payouts King Takes Aim at the Ransomware Throne appeared first on Security Research | Blog.

IntroductionIn February 2022, BlackBasta emerged as a successor to Conti ransomware and quickly rose to prominence. BlackBasta was operational for three years until February 2025 when their internal chat logs were leaked online, exposing the group’s inner workings. This led the group to disband and shutter the operation. However, similar to many ransomware groups, BlackBasta was largely driven by initial access brokers that launch attacks against organizations and then steal sensitive information and encrypt files. Although the BlackBasta brand disappeared, the group’s former affiliates have continued attacks by deploying different ransomware families such as Cactus. Zscaler ThreatLabz has observed continued ransomware activity that is consistent with attacks launched by former affiliates of BlackBasta. Some of these attacks have been attributed to a relatively unknown ransomware group that calls itself the Payouts King.In this blog, we will provide an in-depth technical analysis of the Payouts King ransomware including the techniques that are implemented to evade detection by antivirus and endpoint detection and response (EDR) software. Key TakeawaysThreatLabz has observed ransomware-related activity consistent with previous BlackBasta initial access brokers starting in early 2026.Many of the attacks follow similar techniques, tactics, and procedures (TTPs) as prior attacks such as leveraging spam bombing, Microsoft Teams, and Quick Assist. ThreatLabz has been able to attribute some of these attacks to the Payouts King ransomware group with high confidence.Payouts King is a relatively unknown ransomware group that emerged in April 2025 that steals large amounts of data and selectively performs file encryption.Payouts King ransomware leverages 4,096-bit RSA and 256-bit AES counter mode for file encryption. Technical AnalysisThe technique of spam bombing combined with phishing and vishing continues to be an effective technique that we previously discussed in our annual ransomware report back in 2024. These attacks typically involve a threat actor sending spam email to a targeted victim and then impersonating an IT staff member from the victim’s organization. The victim is instructed to join a Microsoft Teams call and initiate Quick Assist. If the victim falls for the ruse, the threat actor deploys malware onto the victim’s system to establish a foothold on the organization’s network. ThreatLabz has been able to attribute some of these attacks to Payouts King ransomware, a group that until now has largely remained under the radar over the last year.Obfuscation and evasion techniquesPayouts King implements several common obfuscation methods such as building and decrypting strings on the stack, importing and resolving Windows API functions by hash, and hashing important strings instead of hardcoding them. Payouts King uses a combination of FNV1 hashes and a custom CRC checksum algorithm for obfuscation. The latter has been replicated below in Python.def payouts_king_crc32(input_string: bytes) -> int:
checksum = 0
poly = 0xBDC65592
for char_val in input_string:
char_val |= 0x20
checksum ^= char_val
for _ in range(8):
if checksum & 1:
checksum = (checksum >> 1) ^ poly
else:
checksum >>= 1
checksum &= 0xFFFFFFFF
return checksumInterestingly, when Payouts King uses FNV1 hashes to resolve strings, the seed value is unique per obfuscated value. This defeats tools that utilize large precomputed hash tables to quickly determine the original string. Payouts King also contains a significant number of strings that are obfuscated through stack-based arrays of QWORDS, which are used to construct individual encrypted strings and the corresponding XOR keys to decrypt them.Command-line argumentsSimilar to most ransomware families, Payouts King supports command-line arguments to enable or disable specific functionality. However, the Payouts King command-line arguments are obfuscated by the custom CRC checksum function described in the section above. Despite this, ThreatLabz was able to determine the original string arguments for all of the command-line checksum values. The Payouts King command-line arguments are summarized in the table below.CRC ChecksumParameterDescription0x40e9525-backupUse backup files when performing file encryption.0xf7fc5542-noelevateDo not try to elevate privileges.0xd0956b64-nohideDo not hide the window.0xc66b13e4-i [string]Identity (used for verification)0xc66d24e4-log [filename]Log file path.0x2d617286-mode [all, local, share]Encryption mode (encrypt all files, local disks, or network shares)0xe7ef1cf4-noteDrop the ransom note to the disk.0x3659830f-path [path]Encrypt files starting at the specified path.0x115feaa8-percent [integer]Percentage of file content to encrypt.0x3c145344-nopersistDo not establish persistence.0x7a50b8b4-time [seconds]Time delay in seconds before starting file encryption.Table 1: Payouts King command-line parameters.By default the ransomware will not perform file encryption unless the -i parameter is specified with a value whose CRC checksum matches an expected value. This is likely an anti-sandbox evasion technique.If the -nopersist parameter is not passed on the command-line, persistence is established using scheduled tasks by executing the following command:schtasks.exe /s “localhost” /ru “SYSTEM” /create /f /sc ONSTART /TN \Mozilla\UpdateTask /TR “<path_to_payouts_king.exe>”If the -noelevate parameter is not specified, Payouts King will schedule another task to elevate privileges and run as the SYSTEM user as shown below:schtasks.exe /s “localhost” /ru “SYSTEM” /create /f /sc ONSTART /TN \Mozilla\ElevateTask /TR “<path_to_payouts_king.exe>”In order to run these scheduled tasks, Payouts King creates two pipes to read and write to standard input and standard output. The code then calls CreateProcess to launch cmd.exe without any arguments and redirects standard input and output to one end of the pipe. The ransomware code then writes the commands to the other end of the cmd.exe pipe, which creates the scheduled tasks. Payouts King reads the result from the pipe and checks for the string SUCCESS to determine if the task was created. If the elevation task is successfully created, the command schtasks.exe /run /tn \Mozilla\ElevateTask is sent through the pipe to execute the task immediately, followed by schtasks.exe /delete /tn \Mozilla\ElevateTask /f to delete the task and remove forensic evidence. Payouts King will then terminate the current process to allow the elevated process to perform the file encryption.File encryptionPayouts King ransomware uses a combination of 4,096-bit RSA and 256-bit AES in counter (CTR) mode. The encryption code leverages the OpenSSL library, which is statically linked. Each file is encrypted with a pseudorandom key and nonce. The format of an encrypted file is the AES encrypted data followed by the RSA encrypted file encryption parameters as depicted below.Figure 1: Depicts the format of an encrypted file where the AES encrypted data is followed by the RSA file encryption parameters.The RSA encrypted parameters contains the following 487-byte structure:struct payouts_king_rsa_encrypted_data {
DWORD magic_bytes; // “CRPT” (little-endian)
QWORD encryption_type;// 0x825456 (AES) or 0x233567 (ChaCha20)
BYTE aes_key[32]; // pseudorandomly generated per file
BYTE aes_iv[16]; // pseudorandomly generated per file
QWORD total_filesize; // the original file size
QWORD encrypted_size; // the number of bytes encrypted
DWORD num_encrypted_blocks; // full encryption (1), partial encryption (0xd)
BYTE padding[407]; // random data
};While Payouts King contains code to support AES or ChaCha20 encryption, the samples identified by ThreatLabz have only used AES.The file content is encrypted according to the following algorithm:If the file extension matches any of those listed in Table 3 (shown in the Appendix), the full file content will be encrypted.If the file size is less than 10,485,761 bytes (10MB), the full content of the file will be encrypted.Otherwise, the file will be divided into 13 (0xd) blocks. Half of each block will be encrypted and the other half will not be encrypted. This is a performance optimization for encrypting large files that is commonly implemented by ransomware.If the -percent command-line option is specified, the corresponding percentage of the file will be encrypted in 13 blocks.When encrypting files, Payouts King attempts to open the targeted file. If opening fails due to an error code 32 (ERROR_SHARING_VIOLATION), the ransomware will enumerate the running processes and compute a checksum value for each process name and compare the result against a list of 131 hardcoded DWORD checksum values. Many of these process checksums correspond to antivirus and EDR applications. ThreatLabz was able to recover most of the original process names, which are provided in the Appendix. If the process name checksum value matches, Payouts King will attempt to terminate the process. However, instead of using standard Windows API calls, the ransomware uses low-level direct system calls to evade antivirus and EDR hooks. The system call numbers are determined at runtime by manually walking the loaded ntdll module’s export table for function names that start with a Zw prefix to build a table of Zw* function names and addresses. Note that the table is sorted by the Zw* function addresses, and therefore the index in the table can be used to map the system call with the corresponding system call number. Payouts King ransomware then calculates a CRC for each Zw* function name with the malware’s custom CRC algorithm and compares it against an array of expected DWORD checksum values. These checksum values correspond to the following functions:Function NameCRC ChecksumZwQueryInformationFile0x806e69a7ZwQueryInformationProcess0x1993a634ZwOpenProcess0x58ad11eeZwTerminateProcess0x469424d5ZwOpenFile0x28a29ebfZwQuerySystemInformation0xa0595508Table 2: Payouts King system call checksum mapping used to terminate security-related processes.If the -backup command line parameter is specified, Payouts King creates temporary files to hold the original file data in case the encryption process is interrupted.These files use a 56-byte structure in the following format:struct payouts_king_backup_file_hdr {
QWORD magic_bytes; // 0x1F2013150205BEF3
QWORD num_bytes_encrypted; // current number of bytes encrypted
BYTE reserved[16]; // unused
QWORD file_data_offset; // current offset in file being encrypted
QWORD block_size; // size of the data to encrypt in the next block
QWORD custom_crc_checksum; // checksum of current block; performed only on the first byte of the block (likely a bug)
};This data structure is updated for each block that is encrypted, and can be used to determine the last block of data that was encrypted if the process is interrupted. The following files are not encrypted since they are relevant to file encryption:.esVnyj (temporary backup file extension used during file encryption).ZWIAAW (encrypted file extension)readme_locker.txt (ransom note filename)The following Windows files are also not encrypted:desktop.inintuser.datntuser.iniThe following file extensions are also not encrypted:.bat.cat.dll.exe.lnk.msi.mum.sysThe following directories are also skipped::$recycle.bin\:$winreagent\:\programdata\microsoft\:\program files\windowsapps\:\recovery\:\system volume information\:\windows\After the content of a file is encrypted, the file is renamed with a hardcoded extension appended to the original filename. The file is renamed by using a more obscure technique via the function SetFileInformationByHandle using the FileRenameInfo class. This is likely designed to avoid antivirus and EDR detection that monitors calls to MoveFile and MoveFileEx.Similar to most ransomware families, Payouts King deletes Windows shadow copies with vssadmin.exe delete shadows /all /quiet (to delete backups), empties the recycle bin via SHEmptyRecycleBinW (to remove deleted files), and clears the Windows event logs using EvtClearLog (to hinder forensic analysis).Interestingly, the ransom note is not written to disk unless the -note parameter is specified on the command-line at runtime. The ransom note is written to the file named readme_locker.txt on the victim’s desktop as shown below.Figure 2: Example of Payouts King ransomware note.The ransom note contains information about how to contact Payouts King via TOX and provides a link to the group’s data leak site via Tor. The Payouts King data leak site is shown below.Figure 3: Payouts King ransomware data leak site. ConclusionThe emergence of Payouts King, driven by former BlackBasta affiliates, highlights the persistent and adaptive nature of the ransomware ecosystem. Ransomware threat actors continue to use effective TTPs like spam bombing with vishing, and misuse legitimate tools such as Microsoft Teams and Quick Assist. Payouts King itself is a sophisticated ransomware family, featuring robust encryption utilizing RSA and AES-256, alongside anti-analysis techniques like stack-based string obfuscation, API and string hashing, along with direct system calls for process termination.To defend against this evolving threat landscape, organizations must focus on a defense-in-depth strategy. This includes enhanced user training to recognize and report social engineering attacks (spam bombing, vishing, and fake tech support scams), strict enforcement of multi-factor authentication (MFA), and monitoring for the anomalous use of remote access tools like Quick Assist. The continued success of Payouts King underscores the necessity for proactive threat hunting and continuous adaptation of security controls to match the ransomware groups’ relentless pursuit of the next lucrative payout. Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to the threats mentioned in this blog at various levels with the following threat name:Win64.Ransom.KingW64/Payoutsking-ZRaa!Eldorado Indicators Of Compromise (IOCs)IndicatorDescription335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4Payouts King ransomware sample SHA256  d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2Payouts King ransomware sample SHA256  AppendixFully encrypted extensions.4dd.abcddb.abs.abx.accdb.accdc.accde.accdr.accdt.accdw.accft.adb.ade.adf.adn.adp.alf.arc.ask.bdf.btr.cat.cdb.ckp.cma.cpd.dacpac.dad.dadiagr.daschem.db.db-shm.db-wal.db2.db3.dbc.dbf.dbs.dbt.dbv.dbx.dcb.dct.dcx.ddl.dlis.dp1.dqy.dsk.dsn.dtsx.dxl.eco.ecx.edb.epim.exb.fcd.fdb.fic.fm5.fmp.fmp12.fmpsl.fol.fp3.fp4.fp5.fp7.fpt.frm.gdb.grdb.gwi.hdb.his.hjt.ib.icg.icr.idb.ihx.itdb.itw.jet.jtx.kdb.kexi.kexic.kexis.lgc.lut.lwx.maf.maq.mar.mas.mav.maw.mdb.mdf.mdn.mdt.mpd.mrg.mud.mwb.myd.ndf.nnt.nrmlib.ns2.ns3.ns4.nsf.nv.nv2.nwdb.nyf.odb.oqy.ora.orx.owc.p96.p97.pan.pdb.pdm.pnz.qry.qvd.rbf.rctd.rod.rodx.rpd.rsd.sas7bda.sbf.scx.sdb.sdc.sdf.sis.spq.sql.sqlite.sqlite3.sqlited.te.temx.tmd.tps.trc.trm.udb.udl.usr.v12.vis.vpd.vvv.wdb.wmdb.wrk.xdb.xld.xmlff      Table 3: List of file extensions that are fully encrypted by Payouts King.Antivirus / EDR products blocklista2service.exeaciseagent.exeacnamagent.exeacnamlogonagent.exeacumbrellaagent.exeairwatchservice.exeappcontrolagent.exearcsight.exeashdisp.exeaswidsagent.exeavastsvc.exeavastui.exeavguard.exeavgnt.exeavgnsx.exeavgsvc.exeavgui.exeavkservice.exeavp.exeavpui.exebdagent.exebdservicehost.exeblackberryprotect.exebrowserexploitdetection.exebullguardsvc.execb.execbdefense.execcsvchst.execmdagent.execpda.execsfalconservice.execsrss.execybereasonransomfreeservice.execylancesvc.execyserver.execytomicendpoint.execyveraconsole.execyveraservice.exedarktracetsa.exedataprotectionservice.exedeepinstinctservice.exedsmonitor.exedwengine.exedwservice.exeegui.exeekrn.exeelastic-endpoint.exeendgame.exeendpointbasecamp.exeepconsole.exef-secure.exefdedr.exefireeye.exefsecure.exegdataavk.exeheatsoftware.exeheimdalclienthost.exehexis.exelsass.exembam.exembamservice.exembamtray.exemcafee.exemcods.exemcshield.exemfeepehost.exemfeepmpk.exemfefire.exemfevtps.exemsmpeng.exemssense.exen360.exenortonsecurity.exentrtscan.exenwservice.exepanda_url_filtering.exepavfnsvr.exepavsrv.exepccntmon.exepsanhost.exepsuaservice.exeqhepsvc.exerapid7.exeraytheon.exerealtime safe.exesamplingservice.exesavadminservice.exesavservice.exesbamsvc.exesecureaplus.exesecureworks.exesecurityagentmonitor.exesecurityhealthservice.exesensecncproxy.exesentinelagent.exesentinelctl.exesentinelmemoryscanner.exesentinelservicehost.exesentinelstaticengine.exesentinelstaticenginescanner.exesentinelui.exesfc.exeshellexperiencehost.exeshstat.exesmc.exesophosui.exestartmenuexperiencehost.exetanclient.exetracsrvwrapper.exetraps.exetrapsagent.exetrapsd.exetrustwaveservice.exev3svc.exevsserv.exewrsa.exexagt.exezaprivacyservice.exe  Table 4: List of process names terminated by Payouts King (if opening a file for encryption fails).

*** This is a Security Bloggers Network syndicated blog from Security Research | Blog authored by Brett Stone-Gross (Sr. Director, Threat Intelligence). Read the original post at: https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne