Payouts King - ShroudCloud

# Payouts King Ransomware **Type:** Independent Ransomware Operation - No Affiliate Model (self-declared "not RaaS") **Also tracked as:** PayoutsKing (ransomware.live, RansomLook) **First observed:** June 2025 (leak site active July 7, 2025 per ransomware.live) **Status:** Active - 60 named leak site victims as of April 2026. 93 total posts on leak site per RansomLook. Last victim discovered Jan 14, 2026 per ransomware.live, but 3 new victims posted Mar 11, 2026 per Purple Ops. Leak site up with 100% uptime. Still operational, mid-tier volume operator. --- ## Threat Overview Independent ransomware operation that explicitly states it does not operate as RaaS and accepts no affiliates. Double extortion model: file encryption + data theft with leak site pressure. Opportunistic targeting with no apparent zero-day capability or custom tooling - relies on commodity initial access vectors (phishing, stolen credentials, exposed RDP/VPN). Not technically sophisticated. No vendor has published a detailed binary analysis, MITRE mapping, or IR teardown. The group's significance comes from volume (60+ victims in ~9 months) and willingness to hit healthcare. | Field | Value | |---|---| | Ransom note | `readme_locker.txt` (per ransomware.live template) | | File extension | UNKNOWN - no public sample analysis | | Contact | Tox ID: `535F403A...CF00EC8B57D4` (truncated) | | Leak site | `payoutsgn7cy6uliwevdqspncjpfxpmzgirwl2au65la7rfs5x3qnbqd.onion` | | File server | `v2mw3spxqhggig5zjd6tjnfamwntrprreij3dq77jlq74dduyjafeead.onion` (87% uptime) | | Top targets (geo) | US (30), Germany (13), UK (6), France (3), Spain (2) | | Top targets (sector) | Manufacturing (12), Healthcare (3), Construction (3), Agriculture/Food (3), Technology (3) | | Avg exfil volume | 267 GB (Peugeot Motocycles) to 2.5 TB (Prater Engineering) | | Infostealer overlap | 5.0% of victims had prior infostealer infections (ransomware.live) | --- ## Activity Standing Mid-tier operator by volume. 60 victims across ~9 months puts Payouts King well below the Q1 2026 leaders - Qilin (342 victims), Akira (194), NightSpire, LockBit5, SafePay. The group does not appear in any "top 10" ransomware rankings from Halcyon, Sophos, or NordStellar. Peak activity was July 2025 (21 victims in first month - likely backlog dump from pre-leak-site operations) and November 2025 (14 victims). Activity continues into 2026 with 17 victims through early April. The group posted 3 victims in a single day on March 11, 2026 (Purple Ops), indicating it remains operationally active despite a January lull. No technical innovation observed. No zero-day exploitation, no BYOVD, no custom C2 frameworks. This is a spray-and-pray operation exploiting common security gaps. The "not RaaS" claim is unverifiable but consistent with the lack of TTP variation across incidents. --- ## Initial Access **Primary:** Stolen credentials and exposed remote access services (RDP, VPN). BlackFog and WatchGuard both describe initial access as "phishing activity, stolen credentials, or unsecured remote access services." No specific CVE exploitation documented. **Secondary:** Phishing - likely credential harvesting rather than payload delivery, given the credential-based access pattern. **No zero-day capability demonstrated.** No vendor has attributed any vulnerability exploitation to this group. Payouts King likely purchases credentials from infostealer marketplaces or IABs, consistent with the 5% infostealer overlap figure and the broader ecosystem trend (Verizon DBIR 2025: 54% of ransomware victims had credentials in stealer logs pre-attack). --- ## Infection Chain ### Step 1 - Initial Access: Credential-Based Entry T1078 (Valid Accounts) / T1133 (External Remote Services) | Operator Stolen credentials or brute-forced RDP/VPN. No exploit chain documented. No web shell activity reported. > **Detection Opportunity:** Monitor for repeated failed authentication attempts against external-facing services (RDP, VPN gateways) followed by a successful login. Correlate with anomalous login geography or timing. Ensure VPN and RDP authentication logs are ingested into your SIEM. ### Step 2 - Reconnaissance T1033, T1016, T1018 | Operator Standard domain enumeration - likely `whoami`, `net group`, `nltest`, network scanning. No specific tooling documented. > **Detection Opportunity:** Alert on domain trust enumeration commands (`nltest /domain_trusts`), privileged group enumeration (`net group "Domain Admins"`), and rapid sequential execution of discovery commands from a single endpoint. > > See rule: [[edr-win-disc-net-priv-group-enum]] ### Step 3 - Credential Access T1003.001 | Operator Standard credential harvesting - LSASS dump, registry hive export, possible Mimikatz. No specific tools confirmed. > **Detection Opportunity:** Monitor for LSASS memory access by non-standard processes, registry hive exports (SAM, SECURITY, SYSTEM), and known credential dumping tool signatures. Watch for `comsvcs.dll` MiniDump abuse and `reg save` targeting sensitive hives. > > See rule: [[edr-win-cred-lsass-minidump]] ### Step 4 - Defense Evasion T1562.001 | Operator Vendors confirm "interfering with security controls" and "disabling backups." Likely Defender tampering, service disabling, VSS deletion. No BYOVD or kernel-level evasion documented. > **Detection Opportunity:** Alert on registry modifications disabling Windows Defender (keys: `DisableAntiSpyware`, `DisableRealtimeMonitoring`, `DisableBehaviorMonitoring`). Monitor for `Set-MpPreference` with exclusion additions and security service stoppage via `sc.exe` or `net stop`. > > See rule: [[edr-win-def-defender-tampering]] ### Step 5 - Lateral Movement T1021.001, T1021.002, T1570 | Operator Standard lateral movement via RDP, SMB, PsExec, or WMI. No specific tooling confirmed. > **Detection Opportunity:** Watch for remote service creation (PsExec pattern), SMB-based file transfers to `ADMIN

or `C

shares, WMI process creation on remote hosts, and RDP connections originating from servers that do not typically initiate them. ### Step 6 - Exfiltration T1048 | Operator Double extortion confirmed. Data volumes range from 267 GB to 2.5 TB. Exfil method unknown - no specific tool (rclone, WinSCP, etc.) confirmed. > **Detection Opportunity:** Monitor for large outbound data transfers to cloud storage services, rclone or similar sync tool execution, staging of large archives (`.7z`, `.zip`, `.rar`) in temporary directories, and anomalous upload volumes from file servers. ### Step 7 - Impact (Encryption + Extortion) T1486 | Malware File encryption with unknown algorithm and extension. Ransom note: `readme_locker.txt`. Double extortion via Tor leak site. "Free Data Leaks" section used as intimidation. Countdown timers on victim pages. > **Detection Opportunity:** Alert on Volume Shadow Copy deletion (`vssadmin delete shadows`, `wmic shadowcopy delete`), `bcdedit /set` boot configuration changes, mass file rename/modification events, and creation of files matching the ransom note pattern `readme_locker.txt` across multiple directories. > > See rule: [[edr-win-impact-inhibit-recovery]] --- ## Raw Command Lines **NONE AVAILABLE** No public IR report, incident response writeup, or emulation framework has published observed command lines from Payouts King intrusions. All TTPs above are inferred from generic vendor descriptions. --- ## Intelligence Gaps - **No binary analysis exists** - No vendor has published a sample analysis, encryption algorithm identification, or file extension documentation. This is the single largest gap. - **No IR report published** - Despite 60+ victims, no incident response vendor (Mandiant, CrowdStrike, Sophos, Trend Micro) has published a detailed Payouts King intrusion analysis. - **Initial access unconfirmed** - "Phishing, stolen credentials, or exposed remote access" is vendor boilerplate - no specific vector confirmed for any incident. - **Tooling completely unknown** - No confirmed use of specific tools (Mimikatz, Cobalt Strike, rclone, PsExec, etc.). All detection mappings are speculative. - **Encryption method unknown** - No file extension, encryption algorithm, or binary characteristics documented. - **RaaS claim unverifiable** - The "not RaaS, no affiliates" self-description cannot be validated. TTP consistency across victims would help but requires IR data that doesn't exist publicly. - **Attribution zero** - No threat actor attribution, no country of origin assessment, no links to other groups. The name is the only identifier. - **Ransom demands unknown** - No ransom amounts, payment methods, or negotiation patterns documented publicly. - **Dwell time unknown** - Average delay between attack and discovery is 38.9 days (ransomware.live), but actual dwell time within networks is undocumented. --- ## Confidence Assessment | Claim | Confidence | Evidence | Flips if... | |---|---|---|---| | 60+ victims since July 2025 | HIGH | ransomware.live, RansomLook, multiple trackers | Inflated claims (common with new groups) | | Not RaaS / independent operator | LOW | Self-declaration only | Affiliates surface with different TTPs | | Initial access via credentials/RDP | LOW | Generic vendor description, no IR data | IR report shows exploit chain or other vector | | Double extortion model | HIGH | Leak site operational, data samples posted | Encryption-only incidents surface | | US + Germany primary targets | HIGH | Consistent across all trackers | Targeting shifts | | Manufacturing + healthcare focus | MEDIUM | Statistical from 60 victims | Small sample, could be opportunistic | | Still operationally active (Apr 2026) | MEDIUM | Leak site up, Mar 2026 posts | Leak site goes dark, no new victims | --- ## Detections Sigma rules applicable to this threat: | Rule ID | Description | |---|---| | [[edr-win-disc-net-priv-group-enum]] | Privileged Domain Group Enumeration via Net | | [[edr-win-cred-lsass-minidump]] | LSASS Memory Dump via Comsvcs.dll | | [[edr-win-impact-inhibit-recovery]] | System Recovery Inhibition | | [[edr-win-def-defender-tampering]] | Windows Defender Tampering via PowerShell | --- ## Key Publications 1. [Ransomware.live - PayoutsKing Tracker](https://www.ransomware.live/group/payoutsking) (ongoing) 2. [Ransomware.live - PayoutsKing Statistics](https://www.ransomware.live/groupstats/payoutsking) (ongoing) 3. [RansomLook - PayoutsKing Details](https://www.ransomlook.io/group/payoutsking) (ongoing) 4. [BlackFog - Payouts King Overview](https://www.blackfog.com/cybersecurity-101/payouts-king/) (2025) 5. [WatchGuard - Payouts King Ransomware Tracker](https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/payouts-king) (2025, under construction) 6. [FalconFeeds.io - Initial Payouts King Alert](https://x.com/FalconFeedsio/status/1942255648101773504) (Jul 2025) 7. [FalconFeeds.io - Creditinfo Group Attack](https://x.com/FalconFeedsio/status/1948231076507480573) (Jul 2025) 8. [Mjolnir Security - PayoutsKing Profile](https://intel.mjolnirsecurity.com/rw-payoutsking) (2025)