Published on June 22, 2026
New Prinz Eugen ransomware prioritizes recent files for encryption
Severity
Medium
Detail
A new ransomware operation named Prinz Eugen has been observed using a highly targeted encryption strategy that prioritizes recently modified files, increasing operational disruption for victims. According to Malwarebytes’ ThreatDown researchers, the group uses hands-on-keyboard intrusion techniques rather than automated ransomware-as-a-service models, and relies heavily on legitimate remote monitoring and management (RMM) tools as well as living-off-the-land binaries to blend into normal system activity.
Initial access is believed to be achieved through stolen RDP credentials, after which attackers manually deploy a payload (servertool.exe) and establish persistence using backdoor administrator accounts and RMM software such as RemotePC. The ransomware has already been linked to multiple confirmed victims, with additional impacted organizations suspected but not yet publicly disclosed.
How?
The attack typically begins with the use of compromised Remote Desktop Protocol (RDP) credentials to gain access to enterprise environments. Once inside, attackers manually execute the ransomware payload and deploy legitimate remote administration tools to maintain persistence and control. The malware then performs recursive file system scanning without depth limits or exclusions, prioritizing encryption based on file modification time targeting the most recently changed files first, and resolving ties alphabetically. This increases the likelihood of encrypting active business-critical data.
The ransomware uses ChaCha20-Poly1305 encryption with strong cryptographic key handling, including Argon2id-based key derivation and per-file initialization vectors. Files are processed in 1 MB chunks, and integrity checks are performed using SHA-256. After encryption, the original files may be deleted using a verification step to ensure recoverability of encrypted versions. The malware also overwrites encryption keys in memory, forces garbage collection, and self-deletes to reduce forensic traces. Notably, it does not drop ransom notes or change desktop wallpapers, instead shifting communication to external channels such as direct contact or dark web portals to avoid detection and reduce artifacts.
Recommendation
Organizations should immediately strengthen defenses around remote access systems by enforcing multi-factor authentication on RDP and disabling direct exposure of RDP services to the internet wherever possible. Continuous monitoring should be implemented for unusual login behavior, especially from new or privileged accounts, along with strict access control and least-privilege enforcement for administrative accounts.
Security teams should deploy endpoint detection capable of identifying RMM tool misuse and suspicious execution of administrative utilities commonly abused in living-off-the-land attacks. Network segmentation should be applied to limit lateral movement once an attacker gains initial access. Regular monitoring of file activity patterns particularly rapid modifications of recently changed files can help identify early-stage encryption behavior.
Organizations should also ensure reliable offline backups are maintained and tested regularly to mitigate encryption impact. Incident response plans should account for ransomware actors that do not leave traditional ransom notes, as communication may occur externally through out-of-band channels, making detection and attribution more difficult.
Source