In February 2022, the BlackBasta ransomware group emerged as a highly active successor to the Conti ransomware operation.
The group successfully targeted hundreds of organizations over three years until a massive internal chat log leak in February 2025 exposed their inner workings.
This critical exposure led the cybercriminals to disband and shut down their primary operations. However, the initial access brokers who powered these attacks shifted their focus, deploying other ransomware families, such as Cactus.
In early 2026, security researchers observed new attacks that used tactics closely aligned with those of former BlackBasta affiliates. These latest intrusions have been confidently linked to a relatively unknown but highly capable ransomware group operating under the name Payouts King.
Attack Tactics and Evasion Techniques
Payouts King relies on social engineering strategies, particularly spam bombing combined with phishing and voice phishing (vishing).
Threat actors flood a victim’s email inbox, then call them while impersonating IT support staff. The attackers instruct the victim to join a Microsoft Teams meeting and open Quick Assist, which grants the hackers initial remote access to the corporate network.
Once inside, the malware uses sophisticated obfuscation to hide its activities from security software.
It dynamically builds strings in memory and uses a custom CRC checksum algorithm alongside FNV1 hashes with unique seeds, effectively defeating analysis tools that rely on precomputed hash tables.
The ransomware is controlled through heavily obfuscated command-line arguments that dictate its behavior. To avoid automated sandbox analysis, the malware requires a specific identity verification parameter to execute.
Other command-line options allow attackers to disable privilege elevation, hide the execution window, specify target paths, or specify the percentage of a file to encrypt.
If the attackers do not actively turn off persistence, Payouts King creates scheduled tasks for the SYSTEM user to maintain its foothold.
File Encryption and Defense Strategies
For data destruction, Payouts King employs a robust combination of 4,096-bit RSA and 256-bit AES encryption. The malware determines its encryption strategy based on file size and type.
Files smaller than 10 megabytes or with specific extensions are fully encrypted to maximize damage. To speed up attacks on larger files, the ransomware divides them into 13 blocks, encrypting only half of each.
During this routine, it creates temporary backup files with the “.esVnyj” extension to prevent accidental data corruption if the process is interrupted.
According to Zscaler research, once a file is successfully encrypted, it receives a new “.ZWIAAW” extension.
The malware then drops a ransom note named “readme_locker.txt” on the desktop, deletes Windows shadow copies, and clears event logs to hinder recovery and forensic investigations severely.
Defending against this evolved threat requires a defense-in-depth strategy.
Organizations must prioritize employee training to spot fake tech support scams, enforce multi-factor authentication universally, and closely monitor the usage of remote access tools like Quick Assist.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Click Here For The Original Source.
