A newly discovered ransomware operation dubbed ‘Prinz Eugen’ has been identified for its unique approach to file encryption. Unlike typical ransomware attacks, Prinz Eugen prioritizes recently modified files for encryption and does not leave a ransom note on the infected system.
An investigation conducted by Threatdown, Malwarebytes’ enterprise cybersecurity division, revealed that the Prinz Eugen hackers exhibit a hands-on-keyboard style and prefer to utilize legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
Initial access to targeted systems is believed to be gained through stolen Remote Desktop Protocol (RDP) credentials, followed by the manual download and execution of the primary payload, known as ‘servertool.exe’.
In a specific incident under investigation, researchers observed the utilization of the RemotePC RMM tool and a backdoor administrator account to establish persistence within the compromised systems.
Unlike many contemporary ransomware operations, Prinz Eugen does not function under the ransomware-as-a-service (RaaS) model, and its developers are currently not actively seeking affiliates.
The ransomware, which has only listed three victims on its data leak site, engages in data encryption, exfiltration, or both. However, it is noted that the cybersecurity community is aware of more organizations impacted by the Prinz Eugen ransomware.
An analysis of a Prinz Eugen attack revealed that the ransomware prioritizes the encryption of recently modified files, aiming to affect business-critical and actively used files. The encryption process is carried out recursively with no depth limit and no exclusions, using the .prinzeugen extension for encrypted files.
Prinz Eugen ransomware utilizes advanced encryption techniques, including ChaCha20-Poly1305 encryption, a 32-byte master key, random initialization vectors, and key derivation functions based on Argon2id, SHA-256, and HKDF-SHA256.
The ransomware’s encryption process occurs in 1 MB chunks, with file integrity checked using the SHA-256 hash function.
Notably, Prinz Eugen ransomware takes precautions to prevent the retrieval of encryption keys, overwriting them with zeroes, eliminating them from memory through garbage collection, and self-deleting from the system.
The absence of a traditional ransom note in Prinz Eugen attacks is a deliberate tactic employed by organized ransomware groups to reduce forensic traces and complicate automated detection of the extortion phase.
Threatdown researchers have identified several victims of Prinz Eugen, with reported ransom demands and refusals, such as the case of the Standard Bank breach where a ransom of 1 BTC was demanded and rejected.
Threatdown’s report also includes indicators of compromise to assist organizations and researchers in analyzing, detecting, and defending against Prinz Eugen ransomware attacks.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
