Payouts King Ransomware Blending In Before Breaking Through

Summary

Payouts King ransomware emerged in April 2025 as a sophisticated ransomware operation with confirmed connections to former BlackBasta initial access brokers. The ransomware campaign intensified throughout early 2026, targeting organizations across the United States, Germany, Canada, France, Italy, Spain, United Kingdom, Norway, Mexico, Poland, and Belgium. This ransomware operation combines data theft with targeted file encryption, leveraging social engineering tactics to gain initial access. Payouts King ransomware uses spam-bombing combined with vishing techniques where threat actors flood victims’ email inboxes before impersonating internal IT staff via Microsoft Teams. Victims are manipulated into launching Quick Assist, granting attackers remote system control. Once the ransomware establishes a foothold, it deploys obfuscated command-line arguments, scheduled task persistence, SYSTEM-level privilege escalation, and direct system call invocation to disable antivirus and EDR processes across Windows environments.

Attack Details

Initial Access Through Social Engineering and Remote Access Tools

Payouts King ransomware operations begin with calculated social engineering designed to overwhelm and mislead victims. The ransomware attack starts with spam bombing tactics that flood a victim’s inbox to create urgency and confusion. Following the email bombardment, the attacker impersonates an internal IT staff member and convinces the target to join a Microsoft Teams call. During the Microsoft Teams session, the victim is socially engineered to open Quick Assist, a legitimate remote support tool built into Microsoft Windows. Once Quick Assist access is granted, the ransomware attacker takes full control of the system and installs the Payouts King ransomware payload, securing a foothold within the network for further ransomware deployment.

Evasion, Persistence, and Privilege Escalation

Before activating the ransomware payload, the Payouts King malware performs environmental checks to avoid detection in testing environments. If these ransomware checks pass successfully, the malware quietly prepares itself by decoding hidden instructions and dynamically linking to essential Windows functions. The ransomware establishes persistence by creating a hidden scheduled task that runs with full SYSTEM privileges at startup, ensuring continued ransomware access even after system reboots. This ransomware persistence mechanism allows the threat actors to maintain long-term access to compromised environments.

Lateral Movement and Security Tool Termination

To expand the ransomware reach across the network, Payouts King can focus on local files, network shares, or both simultaneously. The ransomware uses elevated privileges to move laterally across systems, especially when higher-level credentials are available through credential theft. At the same time, the ransomware scans active processes and systematically shuts down known security tools including antivirus and EDR solutions, allowing the ransomware to operate without interference from defensive security measures.

Data Encryption, Theft, and Ransom Demands

Data theft and encryption play central roles in the Payouts King ransomware attack. Files are encrypted using strong cryptographic methods, with smaller or high-value files fully locked and larger files partially encrypted to save time while still causing maximum disruption. The ransomware also removes backup copies, clears system logs, and deletes recovery options to prevent data restoration. Finally, a ransom note is placed on compromised systems, directing ransomware victims to contact the attackers through encrypted messaging platforms and visit a Tor-based hidden website for ransom negotiation. The ransomware message is clear: pay the ransom, or risk losing both data access and data confidentiality through public data leaks.

Recommendations

Restrict and Monitor Quick Assist and Microsoft Teams Usage

Organizations should disable Quick Assist on systems that do not require remote support functionality. Security teams should restrict outbound Microsoft Teams external federation where business requirements allow. Configure detection rules that alert security operations when quickassist.exe is launched following inbound Microsoft Teams calls from unverified external tenants, as this pattern indicates potential ransomware social engineering attempts.

Hunt for Mozilla Scheduled Task Persistence Indicators

Build SIEM and EDR detections specifically for the creation of scheduled tasks under the \Mozilla\ path, particularly \Mozilla\UpdateTask and \Mozilla\ElevateTask tasks. These ransomware persistence indicators are executed via schtasks.exe with ONSTART and SYSTEM run-as parameters, since these scheduled task names are hardcoded in the Payouts King ransomware binary and represent reliable detection opportunities.

Detect Direct System Call Abuse and EDR Tampering Attempts

Deploy behavioral detection capabilities capable of flagging unhooked syscall invocation patterns commonly used by ransomware. Monitor for processes attempting to terminate security tooling such as MsMpEng.exe, MsSense.exe, SentinelAgent.exe, CSFalconService.exe, or cb.exe. Alert on unusual enumeration of ntdll exports indicative of dynamic syscall resolution used by ransomware to bypass security controls.

Maintain Immutable, Offline, and Tested Backup Systems

Ensure critical systems are protected by 3-2-1 backup architecture with immutable or air-gapped backup copies that cannot be reached through SMB shares or domain credentials. This ransomware protection is essential since Payouts King supports a -mode share flag specifically designed to encrypt network shares and accessible backups. Verify backup restoration procedures regularly through tabletop exercises to ensure ransomware recovery capabilities.

Segment Networks and Restrict SMB Lateral Movement Pathways

Apply network micro-segmentation between user subnets, file servers, and domain controllers to contain potential ransomware spread. Restrict SMB traffic between workstations using host-based firewalls and minimize the number of users with write access to shared file repositories. These network segmentation controls limit ransomware lateral movement and reduce the ransomware attack surface.

Indicators of Compromise (IoCs)

Payouts King Ransomware File Hashes (SHA256)

• 335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4
• d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2

Payouts King Ransomware TOR Infrastructure

• payoutsgn7cy6uliwevdqspncjpfxpmzirwl2au65la7rfs5x3qnbqd[.]onion
• v2mw3spxqhggig5zjd6tjnfamwntrprreij3dq77jlq74dduyjafeead[.]onion
• c6nrwsloenpiat7zilh243nvhe7a3edsfm3ct3kpxhu2fv7z36ksjcad[.]onion

Payouts King Ransomware Communication (Tox ID)

• 535F403A2EA2DC71A392E18D7DB77FEF70845C0B7E5B9114CD30D301870304379C3547E324E2
• E37F4D443B7FECE0E9775E82D6DC3B304890F80BA03F5101DFD43B2C249AD625CF00EC8B57D4

Payouts King Ransomware File Indicators

• Encrypted File Extension: .ZWIAAW
• Backup File Extension: .esVnyj
• Ransom Note Filename: readme_locker.txt

MITRE ATT&CK TTPs

Resource Development

• T1585: Establish Accounts (T1585.002: Email Accounts)

Initial Access

• T1566: Phishing (T1566.004: Spearphishing Voice, T1566.003: Spearphishing via Service)
• T1199: Trusted Relationship

Execution

• T1204: User Execution (T1204.002: Malicious File)
• T1059: Command and Scripting Interpreter (T1059.003: Windows Command Shell)
• T1106: Native API

Persistence

• T1053: Scheduled Task/Job (T1053.005: Scheduled Task)

Defense Evasion

• T1027: Obfuscated Files or Information (T1027.007: Dynamic API Resolution, T1027.013: Encrypted/Encoded File)
• T1140: Deobfuscate/Decode Files or Information
• T1622: Debugger Evasion
• T1562: Impair Defenses (T1562.001: Disable or Modify Tools)
• T1070: Indicator Removal (T1070.001: Clear Windows Event Logs, T1070.004: File Deletion)
• T1564: Hide Artifacts (T1564.003: Hidden Window)
• T1218: System Binary Proxy Execution
• T1036: Masquerading

Discovery

• T1057: Process Discovery
• T1083: File and Directory Discovery
• T1518: Software Discovery (T1518.001: Security Software Discovery)

Lateral Movement

• T1021: Remote Services (T1021.002: SMB/Windows Admin Shares)

Command and Control

• T1219: Remote Access Software

Exfiltration

• T1567: Exfiltration Over Web Service

Impact

• T1486: Data Encrypted for Impact
• T1490: Inhibit System Recovery
• T1657: Financial Theft

References

• Zscaler Security Research: Payouts King Takes Aim for Ransomware Throne (https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne)
• HivePro Threat Advisory: Black Basta’s Evolution: Sophisticated Social Engineering Meets Advanced Payloads (https://hivepro.com/threat-advisory/black-bastas-evolution-sophisticated-social-engineering-meets-advanced-payloads/)