CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls

Cybersecurity News Archived Jun 04, 2026 ✓ Full text saved

A new ransomware group known as Payouts King has quietly been building a reputation since it first appeared in April 2025. While it spent most of last year flying under the radar, early 2026 brought a noticeable spike in activity tied to former affiliates of the now-defunct BlackBasta operation. The group targets organizations through well-worn […] The post Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Security awareness training Threat intelligence reports Routers HomeCyber Security News Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls By Tushar Subhra Dutta June 4, 2026 A new ransomware group known as Payouts King has quietly been building a reputation since it first appeared in April 2025. While it spent most of last year flying under the radar, early 2026 brought a noticeable spike in activity tied to former affiliates of the now-defunct BlackBasta operation. The group targets organizations through well-worn but effective tactics, stealing large volumes of sensitive data before selectively encrypting files on compromised systems. BlackBasta, which had operated as a successor to the notorious Conti ransomware group since February 2022, collapsed in February 2025 after its internal chat logs were leaked online. That exposure forced the group to disband, but it did not stop the individuals behind the attacks. Many of its former affiliates simply carried on under different banners, deploying other ransomware families like Cactus and, more recently, aligning with Payouts King. Zscaler identified these attacks and published a report shared with Cyber Security News (CSN) confirming they could attribute some of this renewed activity to the Payouts King ransomware group with high confidence. The researchers noted that attack patterns closely matched those seen in previous BlackBasta campaigns, including the same social engineering playbook. The initial infection typically begins with spam bombing, where the attacker floods a target’s inbox with large volumes of junk email. They then impersonate an IT support employee, reaching out via Microsoft Teams and convincing the victim to initiate a Quick Assist session. Once access is granted, the attacker drops malware on the system, quietly establishing a foothold inside the organization’s network. From there, Payouts King moves quickly. It attempts to gain full system-level privileges, deletes Windows shadow copies to block recovery, clears event logs to slow forensic investigations, and empties the recycle bin before starting encryption. The group also operates a dark web data leak site, adding pressure on victims to pay by threatening to publish stolen information. Payouts King Ransomware Evades EDR One of the most notable aspects of this ransomware is how aggressively it works to avoid detection. It builds and decrypts strings on the fly rather than storing them as readable text, making static analysis much harder. It also resolves Windows functions using hash values instead of plain names, and applies a custom checksum algorithm with a unique seed per value, defeating tools that rely on pre-built hash tables to identify malware. Payouts King ransomware note (Source – Zscaler) When a file cannot be opened for encryption since a security tool has locked it, the ransomware scans all running processes and checks them against a list of 131 known antivirus and endpoint detection software processes. Rather than using standard Windows API calls to terminate these tools, it uses direct system calls that bypass the hooks most endpoint detection products depend on to catch suspicious activity. Encryption Design and Defense Evasion Payouts King uses 4,096-bit RSA combined with 256-bit AES in counter mode for encryption, with a statically linked OpenSSL library embedded in the malware. Files under 10MB are fully encrypted, while larger files are split into 13 blocks with only half of each encrypted, a method designed to speed up attacks without reducing their impact. The ransomware avoids calling standard Windows file rename functions after encryption, instead using a lower-level call that most security tools do not monitor. Payouts King ransomware data leak site (Source – Zscaler) Encrypted files receive the extension .ZWIAAW, and the ransom note named readme_locker.txt is only dropped when a specific command-line flag is provided at runtime, making automated sandbox analysis considerably harder. To defend against threats like this, organizations should prioritize user awareness training focused on spotting fake tech support requests over platforms like Microsoft Teams. Enforcing multi-factor authentication across all accounts and closely monitoring for unusual use of remote access tools like Quick Assist are also critical. Security teams should also invest in proactive threat hunting rather than relying entirely on automated detection to catch advanced threats like Payouts King. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4 Payouts King ransomware sample SHA256 d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2 Payouts King ransomware sample File Extension .ZWIAAW Encrypted file extension appended by Payouts King File Name readme_locker.txt Ransom note dropped on victim’s desktop File Extension .esVnyj Temporary backup file extension used during encryption Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News VS Code Remote-SSH RCE Lets Attackers Pivot From Developer Machines to Cloud Servers Claude Opus 4.8 Released With Ability to Work as an Experienced Engineer Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted Request Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code Latest News Cyber Security News Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malware Cyber Security Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System Cyber Security News Cisco Unified Communications Manager Vulnerability Exposed Along With PoC Exploit Code Android CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks Cyber Security News Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗