Threat Intelligence Report December 23 - December 29 2025

PayoutsKing Ransomware

PayoutsKing is a relatively new ransomware/extortion group that emerged around mid-2025. Unlike many gangs, it explicitly claims not to operate as a Ransomware-as-a-Service (RaaS) and has no affiliates, meaning the core actors conduct attacks themselves. Within weeks of appearing, PayoutsKing accumulated numerous victims across different industries and countries. As of early July 2025, it had approximately 12 publicly claimed victims (about half in the U.S.), growing to over 20 by late July. By December 2025, the group had at least 43 victims listed on its dark web leak site, including organisations in manufacturing, healthcare, construction, education, finance, and more across the US, Europe, and elsewhere.

The group is profit-driven, focusing on double extortion – they encrypt files to disrupt victim operations and steal large volumes of data to pressure victims into paying. PayoutsKing's Tor leak site often initially redacts victim names (e.g. posting only a partial name) and later reveals the full identity along with proof of stolen data if ransom demands are not met. They have advertised extremely large data thefts (hundreds of GB to multiple TB of data) from some victims, underscoring the threat of sensitive information exposure.

Technically, PayoutsKing does not appear to introduce novel malware or techniques but rather uses established ransomware tactics effectively. Reports suggest their approach is pragmatic and opportunistic, exploiting common security gaps rather than advanced zero-days. Initial intrusion vectors are typically mundane – phishing emails carrying malware or credentials theft, reused or weak passwords, and exposed Remote Desktop services are frequently tied to their breaches. Once inside a network, the actors conduct internal reconnaissance and then deploy an encryption payload to lock files with the .payoutsking extension and drop a ransom note named PAYOUTS-README.txt.

In several cases, PayoutsKing also exfiltrated data before encryption, enabling them to threaten leaks (classic double-extortion). They maintain a Tor-based leak site for publishing stolen data and use an encrypted peer-to-peer Tox messenger ID for negotiations. The group employs sophisticated defence evasion techniques, including forcing systems into safe mode using bcdedit commands (similar to Snatch and Black Basta ransomware), which allows the ransomware to execute while security products are loaded with reduced functionality. They specifically target and terminate backup services, including Veeam and BackupExec, to prevent recovery.

PayoutsKing's rise in 2025 – from first sightings in June to dozens of victims by year's end – demonstrates how quickly a new group can inflict damage by leveraging common attack paths and aggressive extortion tactics. The group maintained operational activity throughout December 2025, with eight victims claimed between December 16-25, demonstrating continued threat operations. In summary, PayoutsKing is an independent ransomware operation defined by large-scale data theft, straightforward but effective techniques, and public shaming of victims to maximise pressure. It remains an active threat as of late 2025, with attacks observed in multiple regions.

Tactics, Techniques, and Procedures (TTPs)

PayoutsKing's operational TTPs align with many modern ransomware campaigns, combining credential-based intrusion, living-off-the-land tactics, data theft, and destruction of backups.

Initial Access

The group commonly gains entry via phishing and stolen or weak credentials. Spear-phishing emails carrying malware loaders or lures may be used to infect an initial machine. In other cases, PayoutsKing actors leverage compromised RDP/VPN accounts or other exposed remote services to directly access networks. There are no specific zero-day exploits attributed to PayoutsKing as of December 2025.

Execution

Once inside, the attackers execute the ransomware payload on target systems, often after hours or during weekends to avoid immediate detection. After gaining domain admin privileges, they might distribute the ransomware binary via SMB file shares or Active Directory group policy, then launch it using PowerShell or PsExec. The malware encrypts files on infected machines, appending the .payoutsking extension.

Privilege Escalation & Lateral Movement

The attackers harvest credentials using tools like Mimikatz or LSASS dumping to obtain admin hashes/passwords. Using these credentials, PayoutsKing moves laterally through SMB/Windows Admin Shares or Remote Desktop connections. They use PsExec/WMIC to remotely execute the ransomware on multiple machines, employing network discovery commands to map the environment.

Defence Evasion

PayoutsKing disables antivirus and endpoint security tools, turning off Microsoft Defender's real-time protection via registry or PowerShell. They inhibit system recovery by deleting backups and shadow copies using commands like vssadmin delete shadows /all /quiet or wmic shadowcopy delete.

A distinctive technique is safe boot modification via bcdedit /set {current} safeboot minimal. This forces infected systems to reboot into safe mode, where security products load with significantly reduced functionality. This technique, previously observed in Snatch and Black Basta ransomware, allows the encryption payload to execute with minimal interference. PayoutsKing specifically targets backup services using the sc stop VeeamTransportSvc and sc stop BackupExecAgentAccelerator commands.

Collection & Exfiltration

Data theft prior to encryption is a defining trait. The attackers locate sensitive data and exfiltrate hundreds of gigabytes to terabytes. Given PayoutsKing's use of Tor infrastructure, they likely exfiltrate data via encrypted channels to their dedicated .onion file servers. By the time ransomware is detonated, data has typically already been exfiltrated.

Command-and-Control

PayoutsKing does not use a long-running C2 beacon or custom backdoor. Communication for extortion is handled out-of-band using a TOX ID for peer-to-peer encrypted chat with victims, rather than a web portal or email. The leak site is on Tor with instructions to use Tox.

Impact

The primary impact is file encryption rendering systems unusable. PayoutsKing's ransomware encrypts files with the .payoutsking extension and drops the PAYOUTS-README.txt ransom note. If the ransom is not paid within the deadline, the group publishes stolen data on its leak site. They maximise damage by deleting backups and sometimes deleting log files or using anti-forensic measures.

MITRE ATT&CK Matrix for PayoutsKing

Indicators of Compromise (IOCs)

File Indicators

Network Infrastructure

Tor Hidden Services:
Primary Leak Site: payoutsgn7cy6uliwevdqspncjpfxpmzgirwl2au65la7rfs5x3qnbqd.onion

Alternative Leak Site:
payouts7dlsgwf2rlbnfuvq27wlxud3nfbxbpbxvn4ehx3vwpwpwoydqd.onion

File Server 1:
v2mw3spxqhggig5zjd6tjnfamwntrprreij3dq77jlq74dduyjafeead.onion

File Server 2:
c6nrwsloenpiat7zilh243nvhe7a3edsfm3ct3kpxhu2fv7z36ksjcad.onion

Communication Infrastructure

Tox Messenger ID: 535F403A2EA2DC71A392E18D7DB77FEF70845C0B7E5B9114CD30D301870304379C3547E324E2

Process Artifacts

Remote Access Tools

Registry Modifications

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRealtimeMonitoring = 1

CE 5.5 MITIGATION

• Enable Anti-Phishing (all engines ON) – Signature, heuristic, SSL-mismatch and cloaked-URL detection to block phishing-led initial access.
• Enforce Web Filter policies – Block malicious categories, newly registered domains, risky MIME types and executable file extensions.
• Apply IDPS with network segmentation – Monitor lateral movement, exploit attempts and admin tool abuse with Security policy set to Alert.
• Activate DLP in Alert/Reject mode – Detect and disrupt outbound exfiltration of sensitive data used in double-extortion attacks.
• Enable SIEM Agent and alert escalation – Centralise ransomware indicators and accelerate SOC response through CE 5.5 event correlation.
• Deploy Anti-Malware File Scanner – Scan, quarantine and alert on dropped ransomware payloads and staging artifacts.

Ransomware Victims Worldwide

The United States remained the primary hotspot for ransomware activity, accounting for 40.44% of all identified victims. That means roughly four out of every ten known cases during this period were US-based, keeping it far ahead of any other single country in terms of exposure.

A strong second tier consisted of Germany (6.56%), Canada (6.01%), Brazil (4.92%), and the United Kingdom (3.83%). Together, these major economies formed the bulk of non-U.S. activity, reflecting mature digital infrastructure, high incident visibility, and attractive victim profiles for extortion operators.

A broad mid-band followed, led by Japan and Malaysia (each 2.73%), Italy (2.19%), and a cluster including France, Australia, Spain, Thailand, and Poland (each 1.64%). Beneath them, countries such as Peru, Paraguay, Tunisia, Guatemala, Bolivia, Finland, Argentina, New Zealand, Mexico (each 1.09%) showed that both established and emerging markets continue to feature regularly in victim data.

Below that, a long tail of single-incident geographies, Belgium, Singapore, Iran, Slovakia, Denmark, Chile, Oman, Egypt, Taiwan, Netherlands, Cyprus, China, Ireland, India, South Africa, Slovenia, Serbia, Switzerland, Bulgaria, Portugal, Russia, and Czech Republic (each 0.55%), appeared at low individual volumes. While each contributes only a small fraction, their combined footprint underlines that ransomware remains a globally distributed problem, touching dozens of countries rather than being confined to a handful of high-profile targets.