Skip to content
Ransomware group

PrinzEugen

Prinz Eugen is an emerging ransomware and extortion threat actor first observed in 2026.

Profile source: Mallory opens in a new tab

PrinzEugen

Family profile

Prinz Eugen is an emerging ransomware and extortion threat actor first observed in 2026. The group operates as a targeted, hands-on-keyboard criminal operation rather than a mature ransomware-as-a-service ecosystem, and there is no reliable indication that it recruits affiliates. Its activity is consistent with double extortion: theft of sensitive data is used as primary leverage, while selective or broad encryption is applied as an additional pressure mechanism. Known aliases include prinzeugen, prinz_eugen, and prinz_eugen_group.

Prinz Eugen has been associated with intrusions against organizations in multiple countries and sectors, including financial institutions, public-facing service organizations, and consumer services. Reported victimology indicates a preference for organizations where reputational damage, operational disruption, or exposure of sensitive business data can materially increase coercive pressure.

Operational reporting indicates that initial access commonly relies on credential abuse, especially compromised or stolen remote access credentials. Observed and assessed access pathways include exposed remote desktop services, valid-account abuse, brute-force activity against remote access, reuse of credentials harvested by infostealers, and exploitation of exposed internet-facing systems. After access, the actor appears to conduct manual internal reconnaissance, identify privileged accounts, enumerate Active Directory and network resources, locate sensitive repositories and backup infrastructure, and use legitimate remote monitoring and management software together with living-off-the-land tooling.

The ransomware associated with Prinz Eugen is written in Go and has several distinctive traits. It prioritizes encryption of the most recently modified files first, likely to maximize immediate business impact. It recursively traverses directories, has been observed attempting to encrypt nearly all eligible files, and appends a dedicated extension to encrypted data. Public technical analysis has described its use of ChaCha20-Poly1305 for file encryption, with supporting key-derivation and integrity-checking components including Argon2id, SHA-256, and HKDF-SHA256. Anti-recovery and anti-forensic behavior includes overwriting key material in memory, forcing garbage collection, and self-deleting after execution. Some samples also support deletion of original files after successful encryption verification.

A notable tradecraft characteristic is the absence of a traditional on-disk ransom note or wallpaper change. Extortion appears to be handled out of band through direct victim communication and leak-site pressure, reducing obvious forensic artifacts and potentially complicating automated detection of the extortion phase. Reporting also indicates use of dedicated leak infrastructure, staged exfiltration of compressed archives over encrypted channels, time-bound payment demands, and public shaming or publication threats.

Prinz Eugen has also been publicly linked by some researchers to the actor known as ROOTBOY, also associated with the alias avtokz and the extortion persona GERMANIA. That attribution is based on behavioral and infrastructure correlations and should be treated as reported researcher attribution rather than universally established consensus.

Observed behavior maps closely to ATT&CK techniques associated with valid accounts, external remote services, brute force, account discovery, network and domain enumeration, credential access, data collection, exfiltration over command-and-control or web channels, and data encrypted for impact. Overall, Prinz Eugen represents a smaller but disciplined ransomware actor focused on rapid, manual intrusions, data-first extortion, and technically competent anti-recovery measures.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.