Skip to content
.ca
sign in
5 mincritical

Payouts King Takes Aim at the Ransomware Throne | ThreatLabz

Payouts King is a sophisticated ransomware family operated by former BlackBasta affiliates. It gains initial access via social engineering tactics like spam bombing and Quick Assist, then deploys ransomware that utilizes direct system calls, custom API hashing, and robust RSA/AES encryption while actively evading EDR detection.

Sens:ImmediateConf:highAnalyzed:2026-04-16reports

Authors: BRETT STONE-GROSS

ActorsPayouts KingBlackBasta affiliatesCactus
Direct SyscallsRansomwarePayouts KingBlackBastaSpam Bombing

Source:Zscaler ThreatLabz

Key Takeaways

  • Payouts King is a newly identified ransomware group that emerged from former BlackBasta affiliates.
  • Initial access relies heavily on social engineering, including spam bombing, vishing, and the misuse of Microsoft Teams and Quick Assist.
  • The ransomware uses 4096-bit RSA and 256-bit AES CTR mode for file encryption, with partial encryption for files over 10MB.
  • Advanced evasion techniques are employed, including custom CRC32 API hashing, stack strings, and direct system calls to terminate AV/EDR processes.
  • File renaming bypasses standard MoveFile hooks by utilizing the SetFileInformationByHandle API.

Affected Systems

  • Windows

Attack Chain

The attack begins with initial access brokers using spam bombing, phishing, and vishing to trick users into granting access via Microsoft Teams and Quick Assist. Once a foothold is established, the Payouts King ransomware is deployed. It establishes persistence and elevates privileges using scheduled tasks created via piped commands to cmd.exe. The ransomware then terminates AV/EDR processes using direct system calls, encrypts files using AES-256 and RSA-4096, renames them using SetFileInformationByHandle to evade detection, and finally deletes shadow copies and clears event logs to hinder recovery.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides detailed behavioral indicators, command-line parameters, and evasion techniques, but does not include ready-to-use detection rules.

Detection Engineering Assessment

EDR Visibility: Medium — The ransomware actively evades EDR by using direct system calls (Zw* functions) to terminate security processes and uses SetFileInformationByHandle instead of MoveFile to rename files, bypassing standard user-mode API hooks. Network Visibility: Low — The article does not detail specific C2 infrastructure or network indicators beyond the initial access phase involving Teams and Quick Assist. Detection Difficulty: Hard — The use of direct system calls, custom API hashing, and alternative file renaming APIs makes signature-based and standard behavioral detection difficult.

Required Log Sources

  • Event ID 4688 (Process Creation)
  • Event ID 4698 (A scheduled task was created)
  • Event ID 1102 (The audit log was cleared)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for schtasks.exe creating tasks named "\Mozilla\UpdateTask" or "\Mozilla\ElevateTask" running as SYSTEM.Process Creation (Event ID 4688) or Scheduled Task Creation (Event ID 4698)PersistenceLow
Monitor for vssadmin.exe executing with parameters "delete shadows /all /quiet".Process Creation (Event ID 4688)ImpactLow
Identify anomalous usage of Quick Assist (quickassist.exe) followed by unusual child processes or network connections.Process Creation (Event ID 4688) and Network ConnectionsInitial AccessMedium

Control Gaps

  • EDR user-mode API hooking (bypassed via direct syscalls)
  • Standard file modification monitoring (bypassed via SetFileInformationByHandle)

Key Behavioral Indicators

  • Creation of scheduled tasks under \Mozilla\
  • Files appended with .ZWIAAW or .esVnyj extensions
  • Presence of readme_locker.txt on the desktop

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block execution of known Payouts King scheduled task names (\Mozilla\UpdateTask, \Mozilla\ElevateTask).
  • Monitor and restrict the use of vssadmin.exe for shadow copy deletion.

Infrastructure Hardening

  • Enforce Multi-Factor Authentication (MFA) across all remote access points.
  • Restrict or monitor the use of legitimate remote support tools like Quick Assist.

User Protection

  • Deploy EDR solutions capable of detecting direct system calls and kernel-level anomalies.
  • Implement strict least privilege policies to prevent unauthorized scheduled task creation as SYSTEM.

Security Awareness

  • Train employees to recognize spam bombing, vishing, and fake IT support scams.
  • Educate users on the risks of granting access via Microsoft Teams or Quick Assist to unverified personnel.

MITRE ATT&CK Mapping

  • T1566 - Phishing
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1106 - Native API
  • T1486 - Data Encrypted for Impact
  • T1490 - Inhibit System Recovery
  • T1070.001 - Indicator Removal: Clear Windows Event Logs

Additional IOCs

  • Command Lines:
    • Purpose: Establish persistence via scheduled task | Tools: schtasks.exe | Stage: Persistence
    • Purpose: Elevate privileges via scheduled task | Tools: schtasks.exe | Stage: Privilege Escalation
    • Purpose: Delete Windows shadow copies to inhibit recovery | Tools: vssadmin.exe | Stage: Impact | vssadmin.exe delete shadows /all /quiet

Related