Source linked

Prinz Eugen ransomware hits your newest files first, skips ransom notes

bleepingcomputer.com@bright_raven4 hours ago·Cybersecurity·5 comments

ThreatDown analysis reveals a Go-based ransomware that prioritizes recently modified files, uses ChaCha20-Poly1305, and deletes itself after encryption with no ransom note left behind.

prinz eugenransomwarethreatdownmalwarebyteschacha20 poly1305argon2id

Prinz Eugen ransomware encrypts the files you opened most recently first - a calculated pressure tactic that skips ransom notes entirely.

ThreatDown researchers (Malwarebytes' enterprise arm) caught a new hands-on-keyboard operation. The group uses stolen RDP credentials, drops a Go-based payload called servertool.exe, and relies on legitimate RMM tools like RemotePC for persistence.

The encryption engine that prioritizes your active work

Prinz Eugen scans directories recursively with no depth limit and no exclusions, encrypting everything except its own .prinzeugen extension. The ordering is deliberate: most recently modified files get encrypted first. When timestamps match, it processes alphabetically.

The goal is obvious - hit the files your team is actively editing, the ones that hurt most to lose. ThreatDown calls this a tactic to maximize extortion pressure.

Under the hood, the malware uses ChaCha20-Poly1305 with a 32-byte master key, random initialization vectors per file, and a key derivation function built from Argon2id, SHA-256, and HKDF-SHA256. Encryption happens in 1 MB chunks, and the integrity of each chunk is verified with SHA-256 before deletion.

Self-destruct without leaving a note

Most ransomware groups leave a text file on every encrypted desktop. Not this one. No ransom note, no wallpaper change. ThreatDown says this reduces forensic artifacts and makes automated detection of the extortion phase harder. The attackers move all communication out-of-band - direct email, phone, or dark-web portals.

Prinz Eugen goes further to protect its secrets. When the --delete flag is used, it checks that a file can be decrypted before removing the original. Then it overwrites the encryption key with zeroes, forces garbage collection to purge it from memory, and finally deletes itself from disk.

Victims and the 1 BTC demand

ThreatDown identified at least five victims so far. The group's data leak site lists only three, showing a mix of encryption-only, data-exfiltration-only, and double-extortion cases. In one incident involving Standard Bank, the attacker demanded 1 BTC and was refused.

Unlike modern ransomware-as-a-service operations, Prinz Eugen isn't recruiting affiliates. The developers keep the operation tight and targeted.

ThreatDown published a full list of indicators of compromise in their report. If your environment sees unexpected RDP logins followed by RemotePC traffic and a binary named servertool.exe, you're already in the crosshairs.

Source: New Prinz Eugen ransomware prioritizes recent files for encryption
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Ethereum's top sandwich bot lost $7.5 million to its own greed

An attacker tricked jaredfromsubway.eth into approving fake trades over weeks, then drained WETH, USDC, and USDT using the bot's own automated logic.

Mythos AI Pushes Smart Contract Audit Costs Toward Zero, Reshaping Liability

AI-powered security tool Mythos makes basic audits nearly free, but experts warn it can't stop social engineering or key theft.

AryStinger Turns 4,000 D-Link Routers Into Distributed Proxy Army

Qianxin's XLab uncovered a botnet exploiting end-of-life D-Link routers to perform parallel scanning, DNS hijacking, and traffic sniffing.

Sapphire Sleet's npm Hijack Hit 140 Packages, Targeted 166 Crypto Wallets

Microsoft attributes the Mastra AI supply chain attack to North Korean state hackers, who used a typosquatted JavaScript library to drop cross-platform malware that exfiltrated credentials and crypto assets.

Comments load interactively on the live page.