Threat Database Ransomware Payouts Kings Ransomware

Payouts Kings Ransomware

By Mezo in Ransomware

Protecting devices and corporate networks from malware has become a critical cybersecurity priority. Modern ransomware operations are no longer limited to encrypting files; they often involve data theft, extortion, and sophisticated social engineering tactics that can cripple entire organizations. One such threat is Payouts Kings Ransomware, a highly advanced malware strain that combines strong encryption with double-extortion techniques to maximize pressure on victims.

Payouts Kings Ransomware: An Emerging Cyber Extortion Threat

Payouts Kings is a ransomware family that surfaced in April 2025 and quickly attracted attention due to its advanced capabilities and apparent links to former affiliates of the notorious Black Basta ransomware operation. Following the disbandment of Black Basta after the leak of its internal communications, several experienced threat actors are believed to have regrouped under the Payouts Kings banner, bringing with them a high level of technical expertise and operational maturity.

Unlike opportunistic malware campaigns that target individual users, Payouts Kings primarily focuses on corporate environments. The attackers seek to gain access to organizational networks, move laterally through systems, steal sensitive information, and ultimately deploy ransomware across multiple devices simultaneously.

Encryption and File Locking Mechanisms

Once executed on a compromised system, Payouts Kings begins encrypting files using a combination of AES-256 and RSA-4096 encryption algorithms. Each file receives its own unique encryption key and initialization vector, making unauthorized decryption extraordinarily difficult.

The ransomware appends the hardcoded '.ZWIAAW' extension to every encrypted file. For example:

  • 1.png becomes 1.png.ZWIAAW
  • 2.pdf becomes 2.pdf.ZWIAAW
  • report.docx becomes report.docx.ZWIAAW

To further complicate recovery efforts, the malware deletes Windows Shadow Volume Copies. This action removes one of the operating system's built-in recovery mechanisms and significantly reduces the chances of restoring files without external backups.

At the time of analysis, no publicly available decryption utility exists for Payouts Kings, and recovering encrypted data without the attackers' decryption tools is generally considered impossible.

The Double-Extortion Strategy

Payouts Kings employs a double-extortion model that combines file encryption with data theft. After infiltrating a network, the operators exfiltrate a significant amount of confidential information before triggering the encryption process.

The malware creates a ransom note named readme_locker.txt, informing victims that both their files and sensitive company data have been compromised. Victims are instructed to contact the threat actors through the TOX messaging platform using a specified contact ID.

The note also imposes a strict seven-day deadline. If communication is not established within that timeframe, the attackers threaten to publish the stolen data on a website accessible through the Tor network. The ransom amount is not disclosed in the note and is instead negotiated directly with victims.

This approach places organizations under immense pressure, as even companies capable of restoring their systems from backups may still face the risk of confidential information being leaked publicly.

Initial Access and Infection Techniques

Payouts Kings primarily relies on social engineering to gain initial access to targeted environments. The operators often begin by overwhelming corporate inboxes with spam messages to create confusion and distract employees.

Attackers then contact staff members while impersonating IT support personnel. These communications may occur through telephone calls, a technique known as vishing, or through collaboration platforms such as Microsoft Teams. Employees are persuaded to launch Windows Quick Assist and grant remote access to their devices, unknowingly handing control of their systems to the attackers.

After establishing a foothold, the threat actors perform reconnaissance, move laterally across the network, steal valuable information, and deploy the ransomware payload on multiple systems.

Payouts Kings can also spread through more traditional malware delivery methods, including phishing emails, trojanized applications, pirated software, software cracks, fake updates, and downloads from untrustworthy sources.

Why Paying the Ransom Is a Risky Decision

Organizations affected by Payouts Kings may feel pressured to pay the ransom in an attempt to recover their data or prevent information leaks. However, paying cybercriminals carries significant risks.

There is no guarantee that the attackers will provide a functioning decryptor after receiving payment. In some incidents involving ransomware groups, victims have received defective tools or have been ignored entirely after transferring funds. Additionally, paying a ransom helps finance future criminal activities and encourages further attacks against other organizations.

Removing the ransomware from infected systems can stop additional encryption, but it does not restore already encrypted files. Recovery generally depends on the availability of secure backups that were created before the incident and stored offline or on isolated networks.

Strengthening Defenses Against Ransomware

Because sophisticated ransomware campaigns frequently rely on human error and inadequate security controls, organizations should adopt a layered defense strategy. The following practices significantly reduce the likelihood and impact of an attack:

  • Maintain regular offline and immutable backups of critical data.
  • Train employees to recognize phishing attempts, social engineering tactics, and suspicious remote-access requests.
  • Restrict the use of remote administration tools and require multi-factor authentication wherever possible.
  • Keep operating systems, applications, and security software fully updated.
  • Segment networks to prevent attackers from moving freely between systems.
  • Implement the principle of least privilege and regularly review user permissions.
  • Monitor network activity for unusual behavior and establish incident response procedures.
  • Avoid pirated software, unauthorized activation tools, and downloads from unreliable sources.

Modern ransomware groups invest considerable effort into bypassing traditional defenses, making proactive security measures and employee awareness essential components of cyber resilience.

Final Assessment

Payouts Kings Ransomware represents a highly sophisticated and dangerous cyber threat capable of causing severe operational disruption and significant data exposure. Its use of robust encryption, data exfiltration, and carefully orchestrated social engineering techniques demonstrates a level of professionalism commonly associated with experienced ransomware operators.

Organizations that fail to maintain strong security practices may find themselves facing both extensive data loss and reputational damage. Comprehensive backup strategies, employee education, and layered security controls remain the most effective defenses against threats such as Payouts Kings and the increasingly complex ransomware landscape.

System Messages

The following system messages may be associated with Payouts Kings Ransomware:

The files on the company's network have been encrypted, and significant amount of confidential data has been downloaded from it.
To recover your files to the initial state and prevent disclosure of your sensitive information contact us as soon as possible via the TOX chat platform.
- Download a TOX messaging client(hxxps://tox.chat);
- Create an account;
- Add the following contact ID for futher negotiations:
5CM015EMB74JMK24QOJH5AZSKNLO6BFH19W30QNRATE9JUKM1PVFEQ1N8N1NZGB0UMG3Q6OK66HB
In case you don't get in touch within 7 days, the exfiltrated data will be disclosed on our website:
[.onion URL]

Trending

Most Viewed

Loading...