Payouts King

Payouts King is a ransomware group first observed in April 2025 that became more active in early 2026. Multiple reports link it to former BlackBasta affiliates, and some reporting associates the operation with the GOLD ENCOUNTER threat group. The group is described as carrying forward BlackBasta-like tradecraft following BlackBasta’s collapse in February 2025. Payouts King commonly uses social-engineering-heavy initial access, including spam bombing/email bombing, impersonation of IT staff over Microsoft Teams, and abuse of Quick Assist to obtain remote access. Reporting also links the group or associated activity to exposed SonicWall VPNs, Cisco SSL VPNs, exploitation of SolarWinds Web Help Desk CVE-2025-26399, and broader VPN exploitation and vulnerability abuse. Some activity has been linked to an initial access broker tied to the group. After access, Payouts King steals sensitive data and conducts double extortion via a Tor/dark web leak site. Victim examples mentioned in the content include Crenshaw Community Hospital, Gerd Bär GmbH, Rameder Anhängerkupplungen und Autoteile GmbH / Rameder GmbH, and Chemirol. The group has been reported claiming 53 GB stolen from Crenshaw Community Hospital and roughly 1.4 TB from Rameder. Resecurity reporting cited in the content states that, in its client cases, Payouts King kept its word about deleting data after payment and did not re-extort those clients. The ransomware uses RSA-4096 and AES-256-CTR, appends the .ZWIAAW extension to encrypted files, and uses the ransom note readme_locker.txt, which directs victims to contact the operators via TOX and references the group’s Tor-based leak site. It selectively encrypts files, fully encrypting smaller files and partially encrypting larger files in 13 blocks. Reported anti-analysis and defense-evasion features include runtime string decryption, stack-built encrypted strings, hashed API resolution, FNV1 hashing with unique seeds, a custom CRC checksum algorithm, direct system calls to bypass EDR hooks, conditional execution requiring a validated identity parameter, and termination of security tools from a hardcoded list of 131 AV/EDR-related processes. Post-encryption actions include deleting shadow copies, clearing event logs, and emptying the recycle bin. The group has also been associated with virtualization-based evasion. Sophos-linked reporting describes campaigns in which attackers used QEMU to launch hidden Alpine Linux virtual machines on compromised systems, including reverse SSH tunneling, covert execution, and tooling such as AdaptixC2, Chisel, BusyBox, and Rclone. In one tracked campaign, attackers created a scheduled task named TPMProfiler to launch the hidden VM as SYSTEM. Reporting also links Payouts King-associated activity to Microsoft Teams social engineering and Quick Assist delivery of malware, including Havoc C2 sideloading in some incidents. Separate reporting linked an initial access broker tied to Payouts King to the Edgecution campaign, which used a malicious Microsoft Edge extension plus a Python backdoor to escape the browser sandbox via Chrome native messaging, collect system information, browse files, execute commands, run PowerShell, and process attacker-supplied Python code. Known aliases directly mentioned in the content are limited to Payouts King and payouts_king.