A newly identified ransomware operation known as “Prinz Eugen” is taking an unusual approach to data encryption by prioritizing the most recently modified files on infected systems while deliberately avoiding the use of ransom notes. According to research from Threatdown (formerly Malwarebytes’ corporate unit), the group appears to favor hands-on intrusion techniques and the use of legitimate remote monitoring tools rather than fully automated ransomware-as-a-service infrastructure.
The attackers are believed to gain initial access through stolen Remote Desktop Protocol (RDP) credentials before manually deploying their payload, identified as “servertool.exe.” In observed incidents, operators also used commercial RMM software such as RemotePC and maintained persistence through backdoor administrative accounts, allowing continued control over compromised environments.
Once inside a network, the Go-based ransomware recursively scans directories without limits or exclusions and encrypts nearly all accessible files, except those marked with a “.prinzeugen” extension. Its prioritization logic targets recently changed files first, and when timestamps are identical, it falls back to alphabetical ordering—an approach researchers say is designed to maximize disruption to active business operations.
The malware uses strong cryptography, combining ChaCha20-Poly1305 encryption with per-file random initialization vectors and a multi-layer key derivation process involving Argon2id, SHA-256, and HKDF-SHA256. Before removing original files, it verifies successful decryption, then wipes encryption keys from memory and self-deletes to reduce forensic traces. Notably, Prinz Eugen does not drop ransom notes or alter desktop backgrounds, instead shifting extortion communications off-system through direct contact channels or dark web portals—an increasingly common tactic among more organized ransomware groups.
