IntroductionIn February 2022, BlackBasta emerged as a successor to Conti ransomware and quickly rose to prominence. BlackBasta was operational for three years until February 2025 when their internal chat logs were leaked online, exposing the group’s inner workings. This led the group to disband and shutter the operation. However, similar to many ransomware groups, BlackBasta was largely driven by initial access brokers that launch attacks against organizations and then steal sensitive information and encrypt files. Although the BlackBasta brand disappeared, the group’s former affiliates have continued attacks by deploying different ransomware families such as Cactus. Zscaler ThreatLabz has observed continued ransomware activity that is consistent with attacks launched by former affiliates of BlackBasta. Some of these attacks have been attributed to a relatively unknown ransomware group that calls itself the Payouts King.In this blog, we will provide an in-depth technical analysis of the Payouts King ransomware including the techniques that are implemented to evade detection by antivirus and endpoint detection and response (EDR) software. Key TakeawaysThreatLabz has observed ransomware-related activity consistent with previous BlackBasta initial access brokers starting in early 2026.Many of the attacks follow similar techniques, tactics, and procedures (TTPs) as prior attacks such as leveraging spam bombing, Microsoft Teams, and Quick Assist. ThreatLabz has been able to attribute some of these attacks to the Payouts King ransomware group with high confidence.Payouts King is a relatively unknown ransomware group that emerged in April 2025 that steals large amounts of data and selectively performs file encryption.Payouts King ransomware leverages 4,096-bit RSA and 256-bit AES counter mode for file encryption. Technical AnalysisThe technique of spam bombing combined with phishing and vishing continues to be an effective technique that we previously discussed in our annual ransomware report back in 2024. These attacks typically involve a threat actor sending spam email to a targeted victim and then impersonating an IT staff member from the victim’s organization. The victim is instructed to join a Microsoft Teams call and initiate Quick Assist. If the victim falls for the ruse, the threat actor deploys malware onto the victim’s system to establish a foothold on the organization’s network. ThreatLabz has been able to attribute some of these attacks to Payouts King ransomware, a group that until now has largely remained under the radar over the last year.Obfuscation and evasion techniquesPayouts King implements several common obfuscation methods such as building and decrypting strings on the stack, importing and resolving Windows API functions by hash, and hashing important strings instead of hardcoding them. Payouts King uses a combination of FNV1 hashes and a custom CRC checksum algorithm for obfuscation. The latter has been replicated below in Python.def payouts_king_crc32(input_string: bytes) -> int:
checksum = 0
poly = 0xBDC65592
for char_val in input_string:
char_val |= 0x20
checksum ^= char_val
for _ in range(8):
if checksum & 1:
checksum = (checksum >> 1) ^ poly
else:
checksum >>= 1
checksum &= 0xFFFFFFFF
return checksumInterestingly, when Payouts King uses FNV1 hashes to resolve strings, the seed value is unique per obfuscated value. This defeats tools that utilize large precomputed hash tables to quickly determine the original string. Payouts King also contains a significant number of strings that are obfuscated through stack-based arrays of QWORDS, which are used to construct individual encrypted strings and the corresponding XOR keys to decrypt them.Command-line argumentsSimilar to most ransomware families, Payouts King supports command-line arguments to enable or disable specific functionality. However, the Payouts King command-line arguments are obfuscated by the custom CRC checksum function described in the section above. Despite this, ThreatLabz was able to determine the original string arguments for all of the command-line checksum values. The Payouts King command-line arguments are summarized in the table below.CRC ChecksumParameterDescription0x40e9525-backupUse backup files when performing file encryption.0xf7fc5542-noelevateDo not try to elevate privileges.0xd0956b64-nohideDo not hide the window.0xc66b13e4-i [string]Identity (used for verification)0xc66d24e4-log [filename]Log file path.0x2d617286-mode [all, local, share]Encryption mode (encrypt all files, local disks, or network shares)0xe7ef1cf4-noteDrop the ransom note to the disk.0x3659830f-path [path]Encrypt files starting at the specified path.0x115feaa8-percent [integer]Percentage of file content to encrypt.0x3c145344-nopersistDo not es
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: