New Prinz Eugen Ransomware Prioritizes Recent Files for Encryption
A new ransomware operation named Prinz Eugen targets recently modified files and leaves no ransom note, complicating recovery and ransom communications.
A new ransomware operation named Prinz Eugen has been discovered that prioritizes recently modified files for encryption and leaves no ransom note on the system, making recovery and communication with victims more difficult. The threat actor behind this operation, which appears to be a hands-on-keyboard group, leverages legitimate remote monitoring and management software and living-off-the-land tools to gain access and execute their payload.
According to researchers from ThreatDown, Malwarebytes' enterprise cybersecurity arm, initial access is likely achieved through stolen RDP credentials. Once inside, the attacker manually downloads and runs the main payload, 'servertool.exe'. In one investigated incident, the threat actor used the RemotePC RMM tool and created a backdoor administrator account to maintain persistence. Unlike many modern extortion operations, Prinz Eugen does not operate under a ransomware-as-a-service model, and its developers are not currently recruiting affiliates.
The Go-based malware employs an encryption strategy designed to maximize disruption. It prioritizes encrypting files with the most recent modification timestamps, targeting files that are likely to be business-critical and in active use. When multiple files share the same timestamp, they are processed in alphabetical order. The ransomware recursively scans directories with no depth limit and no exclusions, encrypting nearly every file except those with the .prinzeugen extension, which is used for the encrypted files themselves.
Prinz Eugen uses ChaCha20-Poly1305 encryption with a 32-byte master key, a random initialization vector for each file, and a key derivation function based on Argon2id, SHA-256, and HKDF-SHA256. The encryption process operates in 1 MB chunks, and file integrity is verified using SHA-256. When the malware uses the --delete flag to remove the original file after encryption, it first checks that decryption is possible before deletion. To prevent key recovery, the ransomware overwrites the key with zeroes, forces garbage collection, and then self-deletes from disk.
A notable tactic is the absence of a ransom note or any desktop wallpaper change. Threat Down researchers note that this approach is increasingly common among organized ransomware groups, as it reduces the forensic footprint and makes automated detection of the extortion phase more difficult. Ransom communications are moved entirely out-of-band—through direct email, phone contact, or dark-web victim portals—complicating incident response.
Currently, the threat actor's data leak site lists only three victims, but researchers are aware of more organizations impacted. In one known case involving Standard Bank, the attacker demanded a ransom of 1 BTC and was refused. The researchers have provided a list of indicators of compromise to help organizations detect and defend against Prinz Eugen attacks, as the group continues to operate with a focus on encryption and data exfiltration.