Payouts King Ransomware Uses Obfuscation and Direct System Calls to Evade EDR Tools

Payouts King is emerging as a post-BlackBasta ransomware threat that combines social engineering, data theft, selective file encryption, and advanced endpoint evasion. The group first appeared in 2025, but activity linked to former BlackBasta initial access brokers increased in early 2026.

Zscaler ThreatLabz said it has attributed some of this activity to Payouts King with high confidence. The attacks use familiar BlackBasta-style tactics, including spam bombing, Microsoft Teams impersonation, and remote support abuse through Microsoft Quick Assist.

The ransomware stands out because it tries to stay ahead of endpoint detection and response products. It hides strings, resolves Windows APIs by hashes, uses a custom checksum algorithm, and relies on direct system calls to terminate security-related processes instead of using higher-level Windows API calls that security products often monitor.

How Payouts King attacks begin

The intrusion pattern starts with social engineering rather than a technical exploit. Attackers flood the target’s inbox with spam, then pose as internal IT support staff and contact the victim through Microsoft Teams or another communication channel.

The victim is then pushed into starting a remote support session with Microsoft Quick Assist, a legitimate Windows support tool. Once the attacker gains remote access, they deploy malware, establish a foothold, and move deeper into the network.

This technique works because it abuses trusted tools and routine help desk behavior. Employees may believe they are resolving an email problem, account issue, or device error, while the attacker uses the session to stage ransomware activity.

Attack phase	Observed behavior	Risk to organizations
Initial contact	Spam bombing followed by fake IT support messages	Creates urgency and makes the victim more likely to accept help
Remote access	Victim is guided into a Quick Assist session	Attacker gains hands-on control of the endpoint
Foothold	Malware is deployed after the support session begins	Attackers can begin credential theft and lateral movement
Impact preparation	Backups, logs, and recovery options are targeted	Recovery becomes harder after encryption starts
Extortion	Files are encrypted and stolen data is threatened on a leak site	Victims face operational disruption and data exposure pressure

BlackBasta links and ransomware ecosystem changes

BlackBasta emerged in 2022 after the Conti ransomware ecosystem fractured. It later became one of the most active ransomware operations before its internal chat logs leaked in February 2025, damaging the brand and pushing affiliates toward other groups.

Payouts King fits that broader shift. When a ransomware brand collapses, affiliates, initial access brokers, and tooling do not simply disappear. They often move to new ransomware programs, reuse proven intrusion methods, and continue targeting organizations under a different name.

The result is a ransomware market where groups can change labels faster than defenders can update training materials. Payouts King shows how older tradecraft can reappear with newer malware that places more emphasis on evasion and fast encryption.

How Payouts King evades security tools

Payouts King uses several layers of obfuscation to slow analysis. It builds and decrypts strings on the stack instead of storing them as readable text. It also resolves important Windows functions through hashed values, which makes static detection harder.

The malware uses FNV1 hashes and a custom CRC checksum algorithm. The unique seed values make it more difficult for analysts and automated tools to map hashes back to function names using precomputed tables.

When Payouts King cannot open a file because another process has locked it, it checks running process names against a list of 131 hardcoded checksum values. Many of those entries match antivirus and EDR products. The ransomware then tries to terminate the matching process.

Evasion method	What it does
Stack-based string obfuscation	Builds strings at runtime instead of storing plain text
API hashing	Resolves Windows functions through hash values
Custom CRC checksums	Complicates automated hash reversal and malware analysis
Direct system calls	Aims to bypass hooks used by many endpoint security products
Conditional ransom note behavior	Drops the note only when a specific command-line option is used

Direct system calls help it avoid EDR hooks

Many endpoint security products watch standard Windows API calls for suspicious behavior. Payouts King tries to avoid that visibility by using lower-level direct system calls when it terminates security-related processes.

The ransomware builds a table of Zw functions from the loaded ntdll module, then uses runtime mapping to identify functions such as ZwOpenProcess and ZwTerminateProcess. This approach reduces reliance on monitored API layers.

MITRE ATT&CK tracks native API abuse as a technique used by adversaries to interact directly with operating system functions. In ransomware operations, that behavior can make process termination, file handling, and defense evasion harder to detect through basic API monitoring alone.

Encryption design and recovery pressure

Payouts King uses 4,096-bit RSA and 256-bit AES in counter mode, with OpenSSL statically linked inside the malware. Each file receives its own generated encryption key and nonce, while the file encryption parameters are protected with RSA.

ThreatLabz researchers said files smaller than 10MB are fully encrypted. Larger files are split into 13 blocks, with only half of each block encrypted to speed up the attack while still making files unusable.

The ransomware appends the .ZWIAAW extension to encrypted files. It also uses the .esVnyj extension for temporary backup files during encryption and can drop a ransom note named readme_locker.txt when launched with the correct runtime option.

• The ransomware deletes Windows shadow copies with vssadmin.
• It clears Windows event logs to hinder investigations.
• It empties the recycle bin to remove recoverable deleted files.
• It skips certain Windows system directories to avoid breaking the operating system too early.
• It renames encrypted files through a lower-level file rename method instead of common Windows rename functions.

Why the ransom note behavior matters

Payouts King does not always drop its ransom note during automated analysis. The note appears only when the ransomware runs with a specific command-line parameter. That design can limit what sandbox systems observe if they execute the sample without the right arguments.

This also makes the ransomware more operator-controlled. Attackers can choose when to encrypt, when to establish persistence, when to delay execution, and whether to write the ransom note to disk.

The group also operates a data leak site, which supports double extortion. Victims face pressure not only from encrypted files but also from the risk that stolen data will be published if they refuse to pay.

How organizations can reduce exposure

Organizations should treat spam bombing followed by a support call or Teams message as a possible intrusion attempt. Employees should know that real IT teams do not ask users to join unexpected remote control sessions through informal messages.

Companies should restrict or closely monitor Quick Assist remote sessions, especially when they follow inbox flooding or unsolicited support contact. Administrators should also review whether the tool should be disabled or limited on managed devices.

The CISA ransomware guide recommends preparation, offline backups, incident response planning, MFA, least privilege, and network segmentation. Those controls matter against Payouts King because the group tries to remove recovery paths before encryption begins.

• Train users to report spam bombing and unexpected IT support contact immediately.
• Block or restrict unauthorized remote support tools.
• Monitor Teams messages that direct users to start remote assistance sessions.
• Alert on vssadmin shadow copy deletion, event log clearing, and recycle bin clearing.
• Hunt for scheduled tasks created under misleading browser or update names.
• Use tamper protection and EDR hardening where available.
• Keep offline and immutable backups that ransomware cannot delete.

Detection priorities for security teams

Security teams should not rely only on file hashes. Payouts King’s behavior gives defenders several better hunting opportunities, including spam-bombing spikes, suspicious remote support sessions, process termination attempts against security tools, shadow copy deletion, and file renaming at scale.

Endpoint teams should also watch for ransomware launched with parameters that control encryption mode, ransom note creation, delays, persistence, and target paths. The command-line behavior matters because the malware does not always run the same way in every environment.

MITRE’s Native API technique also gives defenders a useful framework for hunting malware that tries to bypass standard API monitoring. Combining behavioral analytics with hardened endpoint controls gives organizations a better chance of detecting direct-syscall ransomware activity before encryption completes.

Payouts King shows ransomware groups are adapting

Payouts King does not introduce a completely new ransomware playbook. Its operators still rely on social engineering, remote access, backup deletion, data theft, and extortion. The difference is how aggressively the malware tries to hide key functions and bypass endpoint defenses.

That makes prevention and early detection more important than recovery alone. Once attackers gain remote access, elevate privileges, disable defenses, and remove backup paths, defenders have far less time to stop encryption.

The StopRansomware guidance remains a practical baseline, but organizations also need specific controls for fake support schemes. Teams, Quick Assist, remote monitoring tools, and help desk workflows now sit directly in the ransomware attack path.

FAQ