Emergence of Payouts King: New Ransomware Threat from Ex-BlackBasta Affiliates

Severity: High (Score: 63.5)

Sources: Gbhackers, Cybersecuritynews

Summary

The Payouts King ransomware operation has emerged as a significant cybersecurity threat, believed to be run by former affiliates of the defunct BlackBasta group. Since its inception in April 2025, Payouts King has executed targeted attacks focusing on high-value data theft and selective encryption, utilizing advanced obfuscation and encryption techniques. The group employs a sophisticated social-engineering playbook, making it difficult for antivirus and EDR tools to detect their activities. Their operations have remained largely under the radar, but they are now recognized as a serious threat to organizations handling sensitive data. The exact number of victims and the scope of the attacks remain unclear, but the group is noted for its aggressive tactics. Current cybersecurity measures may need to be reevaluated to counter this evolving threat. As of April 2026, Payouts King continues to operate actively. Key Points: • Payouts King is linked to former BlackBasta affiliates and focuses on high-value data theft. • The group uses advanced encryption and obfuscation techniques to evade detection. • Since April 2025, Payouts King has conducted targeted attacks while remaining largely unnoticed.

Key Entities

• Ransomware (attack_type)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1486 - Data Encrypted for Impact (mitre_attack)
• T1566 - Phishing (mitre_attack)
• BlackBasta (ransomware_group)
• Payouts King (ransomware_group)