The Rise of Payouts King and the Resurrection of BlackBasta

Following the high-profile disbandment of the BlackBasta ransomware group in early 2025, security researchers at Zscaler ThreatLabz have identified a potent new successor rising from its remnants: a group calling itself Payouts King.

Starting in early 2026, analysts began observing ransomware activity consistent with former BlackBasta affiliates. This new threat actor is not a Ransomware-as-a-Service (RaaS) operation, but a dedicated group focusing on high-value targets with a sophisticated technical arsenal.

The highlight of Payouts King is its reliance on social engineering tactics to gain initial access. The group frequently employs “spam bombing” combined with “vishing” (voice phishing) to overwhelm and deceive users.

The attack chain typically unfolds as follows:

• Spam Bombing: The victim is flooded with hundreds of legitimate-looking emails or notifications to create a sense of urgency and confusion.
• Vishing Call: A threat actor posing as IT support calls the victim to “help” resolve the notification storm.
• Tool Misuse: The actor directs the user to grant remote access via legitimate tools such as Microsoft Teams and Quick Assist.

As the report notes: “The emergence of Payouts King, driven by former BlackBasta affiliates, highlights the persistent and adaptive nature of the ransomware ecosystem”.

Once inside a network, Payouts King deploys a highly advanced ransomware payload designed to bypass modern security defenses. The malware uses direct system calls for process termination and sophisticated anti-analysis techniques, including API and string hashing and stack-based string obfuscation.

The encryption process is equally robust:

“Payouts King itself is a sophisticated ransomware family, featuring robust encryption utilizing RSA and AES-256, alongside anti-analysis techniques like stack-based string obfuscation, API and string hashing, along with direct system calls for process termination”.

By using direct system calls, the ransomware can interact with the OS kernel while avoiding the standard monitoring hooks used by many Antivirus and Endpoint Detection and Response (EDR) solutions.

The group’s data leak site reveals the scale of their operations. Their targets are global, with confirmed victims in Poland, the UK, France, Italy, Germany, and the USA.

The success of Payouts King serves as a critical warning for enterprise security teams. Because the group relies so heavily on human interaction and legitimate administrative tools, traditional software patches alone are insufficient.

“The continued success of Payouts King underscores the necessity for proactive threat hunting and continuous adaptation of security controls to match the ransomware groups’ relentless pursuit of the next lucrative payout,” the researchers conclude.