On May 11, 2026, the ThreatDown research team analyzed an unknown encryptor recovered during a breach at one of its clients’ sites. The ransomware, named Prinz Eugen after the German heavy cruiser from World War II, is written in Go and has technical characteristics that set it apart from typical ransomware. Its most notable feature: it sorts files by modification date and encrypts the most recent ones first, deliberately targeting the data most likely to be in active use. It leaves no ransom note on the disk, verifies that each file can be decrypted before deleting the original, and then self-destructs by erasing its own encryption key from memory. Very few victims are known to date; while the group remains small in size, the encryptor is worth examining for what it reveals about emerging ransomware techniques.
An Encryptor That Targets the Most Recent Files First
The encryptor is written in Go. Its encryption functions are grouped into a package named scorched-earth-ausfc. For each directory passed as a parameter, the binary performs a recursive scan with no depth limit. The analyzed sample does not define any exclusions: any file that does not already have the .prinzeugen extension or the temporary .tmp suffix is encrypted.
The key feature of the encryptor is its processing order: it sorts files by last modification date, with the most recent ones first, and only resorts to alphabetical order in the event of identical timestamps. This strategy is deliberate. Recently modified files are the ones most likely to be in active use—such as open documents, active databases, recent email archives, and files for ongoing projects—and the least likely to have a recent backup. Attacking them first increases the pressure on the victim and narrows the window of opportunity in which intervention could save the most critical data. If the encryption is interrupted by a security solution or an analyst, the files that would be most painful to lose are already compromised.
Encryption is parallelized at a rate of one worker goroutine per CPU. For each file, the process unfolds in three steps: creation of a temporary encrypted copy (e.g. , .document.docx.prinzeugen.tmp), renaming to the final form (document.docx.prinzeugen), then, if the --delete flag is enabled, verifying that the encrypted file is decryptable before deleting the original. This verification is noteworthy: the encryptor does not destroy anything it cannot theoretically restore, which reinforces its credibility with the victim.
The cryptography used is robust: ChaCha20-Poly1305 (AEAD) with a 32-byte master key, a random IV per file, and a three-pass key derivation function (KDF): Argon2id, followed by SHA-256, followed by HKDF-SHA256. Encryption operates in 1 MB blocks with SHA-256 integrity checking. Each encrypted file carries a custom header identifiable by the magic bytes CHV1.
No ransom note; extortion is entirely out-of-band
The analyzed sample contains no ransom note delivery functionality. No text file, no HTML page, no wallpaper modification. The victim receives no instructions on the encrypted system. The extortion takes place exclusively through out-of-band channels: the email addresses prinzeugen@mail2tor and [.]costandardbankcc@cock, and a dedicated Tor portal.[.]li
ThreatDown notes that this absence of a ransom note is “a tactic we’re seeing more and more among organized ransomware groups.” The goal is twofold: to reduce the forensic footprint left on the compromised system and to complicate automated detection of the extortion phase. This trend toward shifting extortion to out-of-band channels is documented more extensively by Europol in its IOCTA 2026 report.
Prinz Eugen employs double extortion: encrypting systems and exfiltrating data. The cyberattack on Standard Bank (South Africa’s leading banking group), which received extensive coverage in several South African media outlets, is the most detailed example of this. Approximately 1.2 TB of data was exfiltrated, representing some 154 million lines of data. The ransom demand, set at 1 BTC, was rejected by the bank. The attacker then launched a campaign of gradual data leaks on the bank’s portal, increasing the number of rows published daily from 5,000 to 25,000, then to 50,000, and finally to 100,000, out of a claimed total of 154 million rows. Among other things, this refusal to pay may also be part of a documented global trend: in 2025, only 28% of ransomware victims paid the ransom.
Anti-forensics and self-destruction
Before terminating, the binary takes deliberate steps to minimize its forensic footprint. It resets the hard-coded encryption key to zero, then triggers Go’s garbage collector to ensure the key does not persist in memory. Finally, it deletes itself from the disk using a cmd.exe command with a ping delay: cmd.exe /C ping 127.0.0.1 -n 2 > nul & del /F /Q …Musicservertool.exe
The ping delay gives the parent process time to terminate before the deletion is executed. The combined result of these three measures is that, after execution , neither the encryption key is recoverable from memory nor does the binary remain on the disk. This significantly complicates post-incident forensic analysis.
ROOTBOY, a lone operator with a traceable history
ThreatDown attributes the Prinz Eugen ransomware to an actor operating under the pseudonym ROOTBOY, who is active on the Exploit and DarkForums forums and was previously active under the alias avtokz on XSS. This operator’s history has been documented on several underground forums since July 2025: the sale of a Vantage Finance database under the name avtokz, followed by the sale in November 2025 of the 700Credit breach (~8.4 million U.S. records, including Social Security numbers) under the name ROOTBOY, after a failed extortion attempt carried out under the identity GERMANIA.
The link between this history and the “Prinz Eugen” encryptor is based on concrete evidence: in the intrusion analyzed by the researchers, the attacker created a local administrator account with the password “germania,” the same alias used during the 700Credit extortion attempt. According to the researchers, this is one of the strongest links linking the binary to the actor.
According to the study, this is likely a single individual, reusing the same pseudonyms, the same TOX ID, and the same German-themed motifs from one operation to the next.
Initial Access and Persistence via Legitimate Tools
The intrusion analyzed by ThreatDown likely began with compromised RDP credentials. Once inside the network, the attacker downloaded the encryptor (servertool.exe) via the Chrome browser and placed it in the Music folder of the user profile. Persistence was ensured by two complementary mechanisms: the RemotePC remote monitoring tool (legitimate RMM software from IDrive), used to launch PowerShell stagers and deploy additional payloads from the address 212.80.7.74, and the manual creation of a local administrator account using the command ` net user admin germania /add`.
This approach is characteristic of “Living off the Land” (LOTL): legitimate tools are hijacked to blend in with normal corporate traffic. In the Standard Bank case—the most extensively documented victim—ThreatDown reports lateral movement across enterprise applications including SharePoint, OneDrive, Power Apps, AppDynamics, Jira, Confluence, Citrix, Remedy as well as Microsoft SQL and Oracle databases, with a dwell time of approximately three weeks before exfiltration.
An ephemeral, Germany-themed infrastructure
The IP address 212.80.7.74 (AS215439, Play2go International, Frankfurt) served as a C2 server, an administration panel, and a host for downloading payloads. DNS history and URL-scan captures reveal three domains associated with this address.
The first, stndrdbnk.cc, targets Standard Bank. It is a typosquat—that is, a fraudulent domain that mimics the name of a legitimate organization by deleting, adding, or substituting characters so that the address remains visually credible. Here, the vowels in “standardbank” have been removed. This domain was captured on March 29 serving a /unlocked page compatible with a trading or payment portal. Registered on March 14, 2026, via Porkbun, it has since been reported as malicious and its DNS record has been removed. The second, g-captchafestung.sbs, registered on May 27 via NiceNIC, suggests by its name a possible ClickFix-style decoy, although the page returned only a {"ok":true} at the time of analysis. The use of ClickFix remains unconfirmed. The third, festung-e.duckdns.org, is a dynamic DNS host observed between May 23 and 30.
Two of these three domains contain the word Festung (“fortress” in German), a choice consistent with the German-language theme that runs throughout the entire operation: the name of the ransomware itself, the Go package scorched-earth-ausfc, the password “germania,” and the two domains ending in “Festung” form a deliberate common thread.
By late May, the infrastructure had been cleaned up: the administration panel had disappeared, the typosquat domain was deactivated, and the operator’s forum profile had been deleted. The operator systematically dismantles its infrastructure after each operation—a behavior that complicates tracking but leaves a narrow window of exposure.
Indicators of Compromise
The main indicators of compromise associated with Prinz Eugen are listed below.
| Indicator | Type | Details |
|---|---|---|
212.80.7.74 | C2 / panel / payload | AS215439, Play2go International, Frankfurt |
stndrdbnk.cc | Domain | Standard Bank typosquat, DNS removed |
g-captchafestung.sbs | Domain | Possible ClickFix phishing site |
festung-e.duckdns.org | Domain | Dynamic DNS, observed from May 23 to 30 |
servertool.exe | Payload | Go Encryptor |
.prinzeugen | Extension | Encrypted files |
CHV1 | Magic header | Encrypted file identifier |
686213cc…bcf1f4 | SHA-256 | Hash of the analyzed sample |
net user admin germania /add | Persistence | Local administrator account |
| RemotePC (IDrive) | RMM abuse | PowerShell Stagers |
The actor can be identified by the aliases ROOTBOY, avtokz, and GERMANIA, a shared TOX ID (496187…22F21), the email addresses prinzeugen@mail2tor[.]co and standardbankcc@cock, and the Bitcoin wallet [.]libc1q2ztpcvqdaptej6uu2ywt9mrlatx6envu34rf0v. The active leak portal is accessible at the address prinzfkbjiazbrur4mjje6mntjc4vydx3iatkkzycufoylqcoo4y7pqd; the original address [.]onion6cudc5cqa2bjpwdhcwm2lj6dbqejjjqzeo6ipwvmbazr6cgu7vfk3dad is currently offline.[.]onion
Prinz Eugen: A Ransomware Strain Modest in Scope but Revealing in Its Technical Choices
With five known victims at the time of the ThreatDown study, the Prinz Eugen ransomware certainly does not have the scale of major ransomware franchises. However, the encryptor stands out for the consistency of its design choices: prioritizing recent files, the absence of a ransom note, verifying decryptability before deleting the original, and self-destruction of the binary. Each technical decision serves the same dual purpose: to increase pressure on the victim and to minimize the forensic footprint left for analysts.
What Prinz Eugen reveals above all is the trajectory of an apparently isolated actor, ROOTBOY, capable of combining robust cryptographic tools, genuine operational discipline, and an out-of-band extortion strategy previously associated with far more structured operations. For an actor who is likely operating alone, it is precisely this discrepancy between the sophistication of the methods and the scale of the operation that warrants attention.
Sources:
- ThreatDown: Prinz Eugen ransomware: a deep dive into a new Go-based encryptor
- BleepingComputer: New Prinz Eugen ransomware prioritizes recent files for encryption
- Daily Maverick: Standard Bank is discovering the extent of the cyberattack in the daily data dumps
- Ransomware.live: PrinzEugen
