The cybersecurity landscape is constantly evolving, with new threats emerging regularly. One such threat is the Prinz Eugen ransomware, which has been making waves due to its unique approach to encryption and evasion tactics. Unlike many other ransomware operations, Prinz Eugen does not operate under the ransomware-as-a-service (RaaS) model and is not currently recruiting affiliates.
Researchers from ThreatdownMalwarebytes’ enterprise cybersecurity arm, have been investigating this new threat. Their findings reveal a sophisticated and stealthy operation that prioritizes recently modified files for encryption, leaving no ransom note on the system. This approach is designed to maximize impact and evade detection.
Initial Access and Persistence
The Prinz Eugen hackers employ a hands-on-keyboard style, preferring to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools. Initial access is likely achieved through stolen RDP credentialsfollowed by the manual download and execution of the main payload, servertool.exe.
In one investigated incident, researchers observed the use of the RemotePC RMM tool and a backdoor administrator account that provided persistence. This method allows the attackers to maintain access to the system and carry out their malicious activities undetected.
Encryption Strategy
The Prinz Eugen ransomware is written in Go and prioritizes the encryption of the most recently modified files. When multiple files share the same timestamp, they are processed in alphabetical order. This strategy is intended to target files that are more likely to be business-critical and in active use, increasing the pressure on victims to pay the ransom.
The ransomware employs ChaCha20-Poly1305 encryption with a 32-byte master key, a random initialization vector for each file, and a key derivation function based on Argon2id, SHA-256, and HKDF-SHA256. The encryption process is carried out in 1 MB chunks, and file integrity is checked using the SHA-256 hash function.
Evasion Tactics
To prevent the encryption key from being retrieved, Prinz Eugen ransomware overwrites it with zeroes, forces garbage collection to eliminate it from memory, and then self-deletes from disk. Additionally, the malware does not drop a text ransom note or change the desktop wallpaper, which is a tactic seen more often among organized ransomware groups.
By moving ransom communications entirely out-of-band through direct email, phone contact, or dark-web victim portals, the actor reduces forensic artifacts and complicates automated detection of the extortion phase. This stealthy approach makes it more difficult for security teams to identify and respond to the threat.
Known Victims and Impact
Currently, the threat actor’s data leak site lists three victims, each showing that the hackers engage in data encryption, exfiltration, or both. However, the cybersecurity community is aware of more organizations impacted by Prinz Eugen ransomware. In one notable case, the attacker demanded a ransom of 1 BTC from Standard Bankwhich was refused.
ThreatDown’s report provides a list of indicators of compromise to help both organizations and researchers analyze, detect, and defend against Prinz Eugen ransomware attacks. As the threat landscape continues to evolve, it is crucial for businesses to stay informed and implement robust security measures to protect against such sophisticated threats.
