New Prinz Eugen ransomware targets recent files, avoids ransom notes

A new ransomware operation dubbed "Prinz Eugen" has emerged, characterized by its strategy of prioritizing recently modified files for encryption and its omission of traditional ransom notes on affected systems, as reported by Bleeping Computer.

The Prinz Eugen threat actor employs a hands-on-keyboard approach, leveraging legitimate remote monitoring and management (RMM) software and living-off-the-land tools, according to Threatdown. Initial access is believed to be gained through compromised RDP credentials, followed by the manual execution of a payload named "servertool.exe." Unlike many ransomware operations, Prinz Eugen does not operate under a ransomware-as-a-service model and is not currently recruiting affiliates. The malware, written in Go, encrypts files using ChaCha20-Poly1305, focusing on recently modified files to maximize impact. It avoids dropping ransom notes, a tactic intended to reduce forensic artifacts and complicate automated detection of the extortion phase.

Researchers have identified at least five victims, with one instance involving a ransom demand of 1 Bitcoin that was refused. The operation's encryption strategy includes overwriting the encryption key with zeroes and self-deleting to prevent recovery.

Source: Bleeping Computer