Prinz Eugen Go-Based Ransomware Linked to ROOTBOY Extortion Campaign
Researchers detailed a newly identified ransomware family called Prinz Eugen, a Go-based encryptor observed in a customer intrusion likely initiated through compromised RDP credentials. The attackers reportedly used RemotePC to deliver PowerShell-based payloads and created a persistence account named admin with the password germania. Once deployed, the malware recursively encrypts files while prioritizing recently modified data, uses ChaCha20-Poly1305 with integrity verification, and can delete original files after successful encryption.
The operation stood out for its anti-forensic behavior and extortion model. Prinz Eugen reportedly zeroes key material in memory, self-deletes, and avoids relying on a traditional on-disk ransom note, instead combining data theft, encryption, leak-site pressure, and out-of-band extortion. Researchers linked the activity to ROOTBOY, also known as avtokz, citing leak-site reporting, historical forum activity, reuse of the extortion alias GERMANIA, and German-themed naming patterns. Infrastructure tied to the campaign included 212.80.7.74 and related domains, including a Standard Bank typosquat, while observed victims included Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
ThreatDown publishes analysis of Prinz Eugen ransomware
ThreatDown by Malwarebytes published its analysis of the Go-based Prinz Eugen encryptor, detailing its file-encryption logic, anti-forensic behavior, and use of out-of-band extortion instead of an on-disk ransom note. The report also linked the activity to the actor ROOTBOY/avtokz and identified infrastructure and observed victims including Standard Bank Group and Transitions Pro Centre Val de Loire.
Malwarebytes investigates Prinz Eugen customer infection
Malwarebytes researchers investigated a customer infection involving the newly identified Prinz Eugen ransomware family. The intrusion was likely initiated through compromised RDP credentials, followed by RemotePC-based PowerShell payload delivery and creation of a persistence account named "admin."
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New Prinz Eugen ransomware prioritizes recent files for encryption
bleepingcomputer.com
Open sourcePrinz Eugen ransomware: a deep dive into a new Go-based encryptor - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourcePrinz Eugen ransomware: a deep dive into a new Go-based encryptor - ThreatDown by Malwarebytes
threatdown.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Egregor Ransomware Used Cobalt Strike and Rclone in Double-Extortion Attacks
The **Egregor** ransomware operation carried out double-extortion attacks by stealing sensitive data, encrypting victim systems, and threatening to publish stolen information on a leak site if victims refused to pay. Researchers linked Egregor to an ecosystem associated with **Sekhmet** and possible former **Maze** affiliates, with additional reported ties to **ProLock** and **LockBit**. Victims cited in reporting included **GEFCO**, **Barnes & Noble**, and **Ubisoft**, while the group’s leak site reportedly listed **152 victim companies** across industries including information technology, construction, retail, consumer goods, and automotive. Intrusions commonly began with **phishing** or **RDP exploitation**, after which attackers used **Cobalt Strike** for payload delivery and in some cases leveraged **QBot** and living-off-the-land tools such as `bitsadmin`. The malware used heavily obfuscated DLL payloads with **Salsa20**-encrypted configuration data, required a sample-specific launch key passed with the `-p` parameter, and encrypted files with **ChaCha** and **RSA-2048**. Researchers also observed the group using **Rclone** with attacker-supplied configuration data to exfiltrate stolen files, while the ransomware appeared to avoid encrypting systems configured with several CIS-region languages.
Mar 29, 2024
Payouts King ransomware linked to former Black Basta affiliates
Security researchers say the **Payouts King** ransomware operation has emerged as a likely successor tied to former **Black Basta** affiliates, with intrusions showing the same social-engineering playbook: spam bombing, phishing or vishing, abuse of **Microsoft Teams**, and use of **Quick Assist** to gain remote access. After entry, the group steals sensitive data and pressures victims through a **Tor**-hosted leak site and ransom communications over **TOX**, with ransom notes such as `readme_locker.txt` used to direct negotiations. The malware uses layered obfuscation and anti-analysis techniques, including encrypted stack-built strings, hashed API resolution, and direct system calls to disable or evade security tools. Researchers said it establishes persistence with scheduled tasks disguised as Mozilla-related jobs, encrypts files with per-file **AES-256-CTR** keys protected by **RSA-4096**, supports partial encryption of large files, and can create backup copies to recover interrupted encryption. It also excludes selected files and directories, renames encrypted files with a hardcoded extension, and performs post-encryption cleanup by deleting shadow copies, emptying the recycle bin, and clearing Windows event logs.
Apr 18, 2026
Crypt Ghouls Used Shared Ransomware Tooling Against Russian Organizations
Researchers reported that a ransomware group tracked as **Crypt Ghouls** targeted Russian businesses and government agencies across mining, energy, finance, retail, and public-sector organizations. The group reportedly gained initial access through compromised contractor VPN credentials, then established persistence with **NSSM** and **Localtonet**, harvested credentials using **XenAllPasswordPro** and **Mimikatz**, and expanded access with reconnaissance and lateral-movement tools including **PingCastle**, **SoftPerfect Network Scanner**, **WMI**, **Impacket** `WmiExec.py`, and **PAExec`. The attackers deployed **LockBit 3.0** on Windows systems and **Babuk** on Linux and **ESXi** environments, indicating a multi-platform ransomware capability. Researchers also found overlaps in tooling, infrastructure, and tactics with activity linked to **MorLock**, **BlackJack**, **Twelve**, and **Shedding Zmiy/(Ex)Cobalt**, suggesting collaboration, shared tooling, or intelligence exchange among multiple groups focused on Russian targets.
May 21, 2026