A new ransomware operation called Prinz Eugen is built to hit businesses where it hurts first: recently modified files. Researchers also found it uses hands-on tactics, legitimate remote monitoring tools, and living-off-the-land techniques, while omitting a ra
For most ransomware crews, the message is part of the product—notes on desktops, instructions on screens. Prinz Eugen does something different.
Threatdown, the enterprise cybersecurity arm of Malwarebytes, found that this new ransomware operation prioritizes files that were modified most recently for encryption. It also leaves no ransom note on the infected system.
In the hands-on infections analyzed by researchers, Prinz Eugen hackers appear to work like they’re sitting at the keyboard. Instead of relying on flashy, easily spotted tooling, they prefer legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
Investigators believe the initial break-in is likely achieved through stolen RDP credentials, before attackers manually download and execute the main payload named ‘servertool.exe.’
In at least one incident, the team observed the use of the RemotePC RMM tool. They also saw a backdoor administrator account used for persistence—an approach that keeps access available even after the early phase is over.
Unlike ransomware-as-a-service operations that recruit affiliates, Prinz Eugen does not appear to operate under the ransomware-as-a-service (RaaS) model. Threatdown researchers also found no evidence that the developers are currently recruiting affiliates.
The encryption strategy is where the pressure builds. Threatdown reports that the Go-based malware targets directories recursively with no depth limit and no exclusions. encrypting virtually every file except those ending with the extension ‘.prinzeugen. ’ which the ransomware uses for encrypted output.
When multiple files share the same timestamp, the malware processes them in alphabetical order. Threatdown believes the focus on the most recently modified files is designed to maximize impact—hitting items most likely to be business-critical and actively used. That means more disruption, and more urgency to respond.
The encryption itself relies on ChaCha20-Poly1305, with a 32-byte master key and a random initialization vector for each file. For key derivation, the routine uses Argon2id, SHA-256, and HKDF-SHA256. Files are processed in 1 MB chunks, and the malware checks integrity using the SHA-256 hash function.
There’s also a built-in safety check in how it deletes originals. When Prinz Eugen is run with the ‘–delete’ flag. it deletes the original file after encrypting it—but only after confirming it can be decrypted. To reduce the chance of key recovery. the ransomware overwrites the encryption key with zeroes. forces garbage collection to eliminate it from memory. and then self-deletes from disk.
While many extortion groups rely on visible ransom messaging to steer victims, Prinz Eugen doesn’t. Threatdown researchers say the absence of a ransom note—and the lack of desktop wallpaper changes or text ransom instructions—is a tactic they see more often among organized ransomware groups. The idea is to reduce forensic artifacts and make the extortion phase harder for automated systems to detect.
Threatdown describes it as moving ransom communications entirely out of band, through direct email, phone contact, or dark-web victim portals. By removing that on-system trail, the actor complicates automated detection at the moment victims are trying to figure out what happened.
So far, Prinz Eugen’s data leak site lists only three victims. Each of the listed cases shows the hackers engaged in data encryption, exfiltration, or both. The research team cautions that the broader cybersecurity community is aware of more organizations impacted.
Threatdown also identified at least five Prinz Eugen victims and pointed to one incident involving the Standard Bank breach. In that case, the attacker demanded a ransom of 1 BTC—and was refused.
Threatdown’s report includes indicators of compromise designed to help organizations and researchers analyze, detect, and defend against Prinz Eugen ransomware activity.
Prinz Eugen ransomware Threatdown Malwarebytes RDP credentials RemotePC ChaCha20-Poly1305 Argon2id HKDF-SHA256 cybersecurity encryption strategy data leak site ransomware tactics