What this gang is up to (short version)

Meet Prinz Eugen, a hands-on ransomware crew that seems to have a soft spot for whatever files you were just working on. Instead of blasting everything at once, their Go-based encryptor intentionally goes after the recently modified files first — the ones that are most likely to break your business flow. Oh, and then it does something a lot of ransomware gangs don’t do: it doesn’t drop a ransom text on the desktop. That’s right — no ransom note. The attackers prefer to handle extortion out-of-band (email, phone or private portals), which makes detection and automation slightly more grumpy.

Researchers from Threatdown (Malwarebytes’ enterprise team) dug into several incidents and found the group often gains entry via stolen RDP credentials, then manually installs a payload called servertool.exe. They like to use legitimate remote tools — think admin software — so you might see traces of RMM tools in affected environments. They also create backdoor admin accounts for sticking around.

Technical highlights, behavior and how to fight back

Here’s the nerdy-but-useful summary of what the encryptor actually does and what defenders should watch for:

  • Encryption order: prioritizes newest files; ties broken alphabetically. The goal appears to be maximum operational pain by hitting actively used documents first.
  • Filesystem scanning: recurses directories with no depth limit and no exclusions — it will touch almost every file except those already ending in .prinzeugen (the extension it uses for encrypted files).
  • Crypto details: uses ChaCha20-Poly1305 with a 32-byte master key, a fresh IV per file, and a key-derivation chain built from Argon2id, SHA-256 and HKDF-SHA256. Files are encrypted in 1 MB chunks and integrity is verified with SHA-256 hashes.
  • Safe-delete option: when run with a delete flag, the encryptor checks it can decrypt before removing the original — so it tries not to shoot itself in the foot.
  • Cleanup: the malware zeroes out the encryption key in memory, forces garbage collection to flush it, and then removes its own executable from disk to hamper recovery efforts.
  • No desktop wallpaper changes, no dropped TXT ransom note — this minimalist footprint is intentional to make the extortion piece stealthier.
  • Access pattern: manual, hands-on-keyboard intrusions leveraging stolen credentials and legitimate admin/RMM tooling rather than mass phishing or pure automation.
  • Not a RaaS model (at least publicly): operators are not currently recruiting affiliates; the group appears to operate more directly.

Threatdown’s investigations tie this group to multiple victims (their public leak site listed a few, though security teams know of more). In at least one reported case, a bank was offered ransom terms and declined.

So what should you do? Quick checklist:

  • Harden remote access: disable or tightly control RDP, use VPNs, restrict by IP where possible, and enforce strong authentication.
  • Lock down RMM: treat management tools like crown jewels — audit usage, remove unused agents, enforce least privilege and enable MFA.
  • Backups + drills: maintain immutable, offsite backups and test restores regularly so ‘newest-file’ targeting hurts less.
  • Detect living-off-the-land actions: monitor for suspicious admin tool use, abnormal account creation, and unusual file encryption patterns.
  • Patch and posture: keep systems updated, use EDR/monitoring tuned for hands-on intrusions, and have an incident response plan that expects out-of-band extortion.

In short: Prinz Eugen is a practical, targeted operator — not flashy, but effective. They try to hit what you care about most and hide the extortion trail. Protect your remote admin paths, lock down RMM, and make sure your backups are boringly reliable.