Full Report
On May 11, 2026, our research team investigated a customer infected with a brand-new ransomware family called Prinz Eugen. The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples. It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk. The first public report related to this family is dated April 16, when a public social media post noted that a new ransomware leak portal had appeared to extort Standard Bank Group, a leading financial institution in South Africa. We attributed the activity to the Prinz Eugen group because the encryptor appends the .prinzeugen extension to encrypted files. The term “Prinz Eugen” could refer to a German heavy cruiser that served during World War II. It is the first of several German references woven through this campaign.
Analysis Summary
# Tool/Technique: Prinz Eugen Ransomware
## Overview
Prinz Eugen is a sophisticated ransomware family written in Go, first identified in early 2026. It is characterized by its technical deliberation, utilizing a "priority encryption" strategy and a heavy anti-forensic footprint. Unlike common ransomware, it does not drop a ransom note on the infected host, relying instead on out-of-band extortion via a public leak portal. The name follows a theme of German naval references.
## Technical Details
- **Type:** Malware family (Ransomware)
- **Platform:** Windows (Go-based)
- **Capabilities:** Recursive encryption, priority-based file targeting, integrity checking, self-deletion, anti-forensics.
- **First Seen:** April 16, 2026 (Leak portal sighting); May 11, 2026 (Infection investigation).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1133 - External Remote Services] (Suspected RDP compromise)
- **[TA0002 - Execution]**
- [T1059.001 - PowerShell] (Used for staging via RMM)
- **[TA0005 - Defense Evasion]**
- [T1070.004 - File Deletion] (Self-deletion and original file removal)
- [T1134 - Access Token Manipulation] (Potential use of 'net user' for persistence/elevation)
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact]
- [T1490 - Inhibit System Recovery]
## Functionality
### Core Capabilities
- **Priority Encryption:** Targets files based on the most recent modified timestamp first, increasing pressure by encrypting active/fresh data before backups can be secured.
- **Recursive File Walking:** Performs a full recursive walk of the directory tree with no depth limit.
- **Concurrent Processing:** Utilizes Go goroutines to perform encryption, spawning one worker per CPU core for maximum speed.
- **Secure Deletion:** When the `--delete` flag is used, the tool verifies the integrity of the encrypted file before deleting the original source file.
### Advanced Features
- **Sophisticated Cryptography:** Employs ChaCha20-Poly1305 (AEAD) for encryption and integrity checks. Key derivation involves Argon2id, SHA256, and HKDF-SHA256.
- **Anti-Forensics:** Does not leave a ransom note on the disk. Appends a specific 8-byte file-header magic (`CHV1`) to encrypted files.
- **Self-Destruction:** Executes a ping-loop command to delay and then delete its own binary from the system after execution.
## Indicators of Compromise
- **File Hashes (SHA-256):**
- `686213cc11d36af764de824801bced9366dfca3823fe0d51b752f74149bcf1f4` (servertool.exe)
- `187425b2944d73fbb17caf3f9fd569b9ed3a08a497a8314cb4f27a51e65081ac`
- **File Names:** `servertool.exe`, `.prinzeugen` (extension), `..tmp` (working files).
- **Network Indicators:**
- `212[.]80[.]7[.]74` (PowerShell staging)
- `standardbankcc@cock[.]li` (Contact email)
- `prinzeugen@mail2tor[.]co` (Contact email)
- **Behavioral Indicators:**
- Rapid file renaming to `.prinzeugen`.
- Process execution: `cmd.exe /C ping 127.0.0.1 -n 2 > nul & del /F /Q ...`
- High CPU usage by a Go-compiled binary named `servertool.exe`.
## Associated Threat Actors
- **Prinz Eugen Group:** A newer threat group focused on high-value targets (e.g., Standard Bank Group).
## Detection Methods
- **Signature-based:** Detect the Go package name `scorched-earth-ausfc` within binaries.
- **Behavioral:** Monitor for rapid recursive file modifications and the creation of files with the `.prinzeugen` extension.
- **Artifact-based:** Search for the `CHV1` file header in non-standard file types.
## Mitigation Strategies
- **RDP Hardening:** Implement MFA and restrict RDP access to known IP ranges or via VPN.
- **Backup Strategy:** Maintain offline, immutable backups to counter the "recent file" prioritization technique.
- **Endpoint Protection:** Utilize EDR solutions to monitor for suspicious Go-based binaries and unauthorized PowerShell execution.
- **Account Security:** Monitor for unauthorized account creation (e.g., `net user admin germania /add`).
## Related Tools/Techniques
- **RemotePC (IDrive):** Historically abused for PowerShell staging in this campaign.
- **ChaCha20-Poly1305 Encryption:** A modern cryptographic standard increasingly favored by sophisticated Go-based ransomware actors.