A new ransomware operation named ‘Prinz Eugen’ prioritizes recently modified files for encryption and leaves no ransom note on the system.

An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.

According to the researchers, initial access is likely achieved through stolen RDP credentials, followed by the manual download and execution of the main payload, ‘servertool.exe.’

In an investigated incident, the researchers observed the use of the RemotePC RMM tool and a backdoor administrator account that provided persistence.

Unlike many modern extortion operations, Prinz Eugen does not operate under the ransomware-as-a-service (RaaS) model, and its developers are not currently recruiting affiliates.

Unlike most extortion operations, Prinz Eugen is not a ransomware-as-a-service (RaaS), or at least the developers are not currently looking for affiliates.

Currently, the threat actor's data leak site only lists three victims, each one showing that the hackers engage in data encryption, exfiltration, or both. However, the cybersecurity community is aware of more organizations impacted by Prinz Eugen ransomware.

Encryption strategy

An analysis of a Prinz Eugen attack revealed that the Go-based malware prioritizes the encryption of the most recently modified files. When multiple files share the same timestamp, they are processed in alphabetical order.

Threatdown researchers believe this approach is intended to maximize the impact on victims by targeting files that are more likely to be business-critical and in active use, increasing the pressure to pay the ransom.

The analyzed sample checks directories recursively with no depth limit and no exclusions, and encrypts virtually every file except those with the .prinzeugen extension, which Prinz Eugen uses for encrypted files.

The ransomware employs ChaCha20-Poly1305 encryption with a 32-byte master key, a random initialization vector for each file, and a key derivation function based on Argon2id, SHA-256, and HKDF-SHA256.

The encryption process is carried out in 1 MB chunks, and file integrity is checked using the SHA-256 hash function.

The researchers noticed that when the malware uses the --delete flag to delete the original file after encrypting it, a check occurs to make sure that the file can be decrypted before removing it from the system.

To prevent the encryption key from being retrieved, Prinz Eugen ransomware overwrites it with zeroes, forces garbage collection to eliminate it from memory, and then self-deletes from disk.

Analysis of the encryptor showed no functionality to drop a text ransom note or change the desktop wallpaper. Threatdown researchers say that the absence of a ransom note "is a tactic we see more often among organized ransomware groups."

This is typically done to reduce the forensic footprint and make it more difficult for the extortion step to be detected automatically.

"By moving ransom communications entirely out-of-band (through direct email, phone contact, or dark-web victim portals), the actor reduces forensic artifacts and complicates automated detection of the extortion phase," the researchers say.

The researchers identified at least five Prinz Eugen victims, saying that in the case of the Standard Bank breach, the attacker demanded a ransom of 1 BTC and was refused.

ThreatDown's report provides a list of indicators of compromise to help both organizations and researchers analyze, detect, and defend against Prinz Eugen ransomware attacks.