What happened

Researchers have identified a new ransomware operation named Prinz Eugen that prioritizes encrypting the most recently modified files, a tactic designed to maximize disruption by targeting data most likely to be actively used by victims.

Threatdown, Malwarebytes’ enterprise security division, found that the group conducts hands-on-keyboard attacks and relies heavily on legitimate remote monitoring and management (RMM) software and living-off-the-land techniques instead of noisy malware. Initial access is believed to occur through stolen Remote Desktop Protocol (RDP) credentials, followed by the manual deployment of the ransomware payload.

In one investigated incident, the attackers used the RemotePC RMM tool and created a backdoor administrator account to maintain persistence within the victim’s environment.

Unlike many modern ransomware operations, Prinz Eugen is not currently operating as a ransomware-as-a-service (RaaS) platform and is not recruiting affiliates. The group’s leak site currently lists only three victims, although researchers believe additional organizations have been compromised.

The ransomware is written in Go and recursively encrypts files without directory depth limits. It encrypts virtually every file it encounters except those that have already been assigned the “.prinzeugen” extension. Another unusual characteristic is that the malware does not leave a ransom note on compromised systems, instead relying on out-of-band communication with victims.

Who is affected

Organizations with internet-exposed Remote Desktop Protocol services or compromised RDP credentials may be at increased risk from Prinz Eugen.

The ransomware appears to target enterprise environments where attackers can obtain administrative access before manually deploying the encryption payload. Because the malware prioritizes recently modified files, organizations actively working with business-critical documents may experience greater operational disruption during an attack.

Why CISOs should care

Prinz Eugen demonstrates a deliberate shift toward maximizing operational impact rather than simply encrypting files indiscriminately. By targeting the newest and most actively modified data first, attackers increase pressure on victims whose current business operations depend on those files.

The campaign also reinforces the continued effectiveness of credential-based intrusions. Rather than exploiting zero-day vulnerabilities, the attackers appear to rely on stolen RDP credentials, legitimate remote management software, and built-in administrative tools to blend into normal system activity.

The absence of an on-device ransom note is another notable evolution. Organizations that rely on traditional ransomware indicators may experience delays in identifying the incident or determining how to engage with the attackers.

3 practical actions

1. Secure internet-facing RDP access: Prinz Eugen is believed to gain initial access through stolen RDP credentials. CISOs should restrict RDP exposure, require multifactor authentication where possible, monitor for suspicious logins, and disable unnecessary remote access services.
2. Monitor legitimate remote management tools: The attackers used RemotePC and living-off-the-land techniques to maintain access. Security teams should alert on unexpected RMM deployments, creation of administrator accounts, and abnormal administrative activity originating from trusted management tools.
3. Prioritize rapid backup and recovery of active business data: Because Prinz Eugen encrypts recently modified files first, organizations should ensure backups of active workloads are frequent, isolated from production environments, and regularly tested for recovery.

The post New Prinz Eugen Ransomware Prioritizes Recent Files for Encryption appeared first on CISO Whisperer.

*** This is a Security Bloggers Network syndicated blog from CISO Whisperer authored by John Kevin Hao. Read the original post at: https://cisowhisperer.com/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/?utm_source=rss&utm_medium=rss&utm_campaign=new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption