Payouts King

Payouts King is an emerging ransomware group first observed in April 2025, with activity increasing notably in early 2026. Multiple sources in the provided content describe it as linked with former BlackBasta affiliates, and reporting associates it with the GOLD ENCOUNTER threat group. The content characterizes Payouts King as carrying forward tradecraft associated with the now-defunct BlackBasta operation. The group’s intrusion patterns include spam bombing, phishing/vishing, Microsoft Teams social engineering, and abuse of Quick Assist for remote access, often by impersonating IT support staff. Additional initial access observed in reporting includes exploitation of exposed SonicWall VPNs, Cisco SSL VPNs, SolarWinds Web Help Desk CVE-2025-26399, and broader vulnerability abuse. After access, Payouts King deploys malware to establish a foothold, seeks elevated or SYSTEM privileges, steals sensitive data, and selectively encrypts files as part of a double-extortion model. The group operates a Tor-based dark web leak site and uses ransom notes named readme_locker.txt directing victims to contact the operators via TOX. The ransomware uses AES-256-CTR with RSA-4096, with per-file pseudorandom keys and partial encryption for files larger than 10 MB, dividing large files into 13 blocks. Observed samples append the .ZWIAAW extension to encrypted files. The malware includes substantial defense evasion and anti-analysis features, including runtime string decryption, hashed API resolution, custom checksum-based obfuscation, direct system calls to bypass EDR hooks, and conditional execution tied to command-line identity validation. It also targets security tooling by checking running processes against a hardcoded list of 131 antivirus and EDR-related values and attempting termination. Post-encryption actions described in the content include deleting shadow copies, clearing event logs, and emptying the recycle bin. The content also describes a notable covert execution technique in which Payouts King used QEMU to run hidden Alpine Linux virtual machines on compromised systems, including reverse SSH tunneling and use of tools such as AdaptixC2, Chisel, BusyBox, and Rclone. Sophos tracked related activity as STAC4713 and linked it to Payouts King and GOLD ENCOUNTER. Victim references in the provided content include organizations in healthcare, manufacturing, automotive supply, construction, and other sectors, including Crenshaw Community Hospital, Gerd Bär GmbH, Rameder GmbH, and Chemirol. The content explicitly describes Payouts King as a ransomware group; it does not directly state nation-state attribution.