Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls

This report describes Payouts King, a ransomware group active since April 2025 and linked to former BlackBasta affiliates; it outlines the typical attack chain (spam bombing, social engineering over Microsoft Teams to initiate Quick Assist, malware drop), aggressive EDR evasion (runtime string decryption, hash-based Windows API resolution, custom checksum, direct syscalls), encryption scheme (RSA-4096 with AES-256-CTR, partial encryption for large files), operational actions (privilege escalation, shadow copy deletion, log clearing, recycle bin emptying), a dark web leak site, IoCs (two SHA256 hashes, encrypted extension .ZWIAAW, ransom note readme_locker.txt, temp extension .esVnyj), and remedial advice including MFA, user awareness for fake tech support, monitoring of remote access tools, and proactive threat hunting.