EXECUTIVE SUMMARY:
A newly identified ransomware known as Payouts King has emerged as a significant threat within the evolving cybercrime landscape, leveraging tactics historically associated with earlier high-profile ransomware ecosystems. The group is believed to be composed of experienced affiliates who have continued operations after campaigns dissolved, maintaining a focus on high-impact intrusions. It characterized by a combination of large-scale data exfiltration and selective file encryption, aiming to maximize pressure on victims through both operational disruption and the threat of data exposure.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A newly identified ransomware known as Payouts King has emerged as a significant threat within the evolving cybercrime landscape, leveraging tactics historically associated with earlier high-profile ransomware ecosystems. The group is believed to be composed of experienced affiliates who have continued operations after campaigns dissolved, maintaining a focus on high-impact intrusions. It characterized by a combination of large-scale data exfiltration and selective file encryption, aiming to maximize pressure on victims through both operational disruption and the threat of data exposure.[emaillocker id="1283"]
The attack chain primarily relies on social engineering techniques such as spam flooding, phishing, and voice-based impersonation to trick victims into granting remote access through legitimate tools. Once initial access is established, attackers deploy malware to gain a foothold and move laterally within the network. The ransomware incorporates advanced evasion mechanisms, including string obfuscation, API hashing, and the use of direct system calls to bypass endpoint defenses. Persistence is achieved through scheduled tasks and privilege escalation techniques, while security tools are actively terminated to avoid detection. For encryption, the malware uses a combination of strong cryptographic algorithms, applying asymmetric and symmetric encryption to secure files. Additionally, it deletes backups, clears logs, and may encrypt only portions of files to accelerate execution while maintaining impact.
Payouts King highlights the continued evolution of ransomware ecosystems, where experienced threat actors reuse proven tactics while integrating more advanced evasion and encryption capabilities. Its reliance on social engineering combined with sophisticated technical mechanisms makes it a significant threat to organizations. The campaign underscores the importance of layered security strategies, including user awareness, strict access controls, monitoring of remote access tools, and proactive detection, to effectively mitigate the risk posed by such adaptable ransomware operations.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1053.005 | Scheduled Task/Job | Scheduled Task | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys Modification |
| Defense Evasion | T1070.001 | Indicator Removal | Clear Windows Event Logs |
| T1027.002 | Obfuscated Files or Information | Software Packing | |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Discovery | T1082 | System Information Discovery | Host and Network Enumeration |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Impact | T1486 | Data Encrypted for Impact | - |
| T1490 | Inhibit System Recovery | - |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/payouts-king-rises-as-new-ransomware-threat/
https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne
[/emaillocker]