EXECUTIVE SUMMARY
The campaign is attributed to an actor known as ROOTBOY, who operates a ransomware group that blends encryption with data exfiltration. The threat is a Go‐based ransomware family that targets enterprises across finance, education and technology sectors, with incidents reported in South Africa, France, the United States and Canada.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to an actor known as ROOTBOY, who operates a ransomware group that blends encryption with data exfiltration. The threat is a Go‐based ransomware family that targets enterprises across finance, education and technology sectors, with incidents reported in South Africa, France, the United States and Canada.[emaillocker id="1283"]
The attacker's primary objective is to steal sensitive records, encrypt critical files, and pressure victims into paying through out‐of‐band negotiations. By focusing on recently modified data, the group maximizes operational disruption and ransom leverage.
The infection chain begins with compromised Remote Desktop Protocol credentials, allowing the actor to log in and deploy a legitimate remote administration utility. Through this trusted channel, a script runner retrieves a Go‐compiled encryptor and places it in a user's music directory. The binary accepts target directories, walks them recursively, and encrypts files using ChaCha20‐Poly1305 with per‐file random IVs, prioritizing the most recently modified items. An optional delete flag removes the original after verification, and the program erases its own binary and encryption key before exiting, leaving no ransom note on disk.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1078 | Valid Accounts | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Persistence | T1136.001 | Create Account | Local Account |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Lateral Movement | T1021 | Remote Services | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
reports contain further technical details:
https://www.threatdown.com/blog/prinz-eugen-ransomware-a-deep-dive-into-a-new-go-based-encryptor/