Threatdown researchers, the enterprise division of Malwarebytes, documented a new ransomware dubbed Prinz Eugen on June 20, 2026. The malware introduces a novel algorithmic prioritization logic: it encrypts files in order of their last-modified timestamp, from newest to oldest, with an alphabetical tie-breaker. This design shifts ransomware from a tool of indiscriminate destruction into a surgical weapon against immediate operational productivity, and the absence of a ransom note on the system complicates automated detection of the extortion phase.
- Prinz Eugen prioritizes encryption of the most recently modified files, applying alphabetical ordering as a secondary criterion
- It drops no ransom note and does not alter the desktop wallpaper; ransom communication occurs exclusively out-of-band
- Attackers operate hands-on-keyboard with legitimate RMM and living-off-the-land tools, not as a RaaS model
- The Go payload uses ChaCha20-Poly1305 with an Argon2id-SHA256-HKDF KDF, 1 MB chunks, and self-deletes by overwriting its key with zeros
The Prioritization Engine: Why Recent Files Make the Difference
Prinz Eugen's encryption sequence follows a precise rule: it recursively scans all directories without depth limits or exclusions, sorts files by descending modification timestamp, and applies alphabetical ordering in case of a tie. Threatdown researchers interpret this logic as a deliberate optimization of impact: the most recent files are statistically those in active use, and therefore more critical to daily operations.
The primary payload is a Go executable named servertool.exe. Encryption employs ChaCha20-Poly1305 with a 32-byte master key, a random IV per file, and a three-stage key derivation: Argon2id, SHA-256, and HKDF-SHA256. Files are processed in 1 MB blocks, and integrity is verified via SHA-256. With the --delete flag, the malware verifies decryptability before removing the original file, reducing the risk of permanent loss due to cryptographic error.
The session key undergoes rigorous sanitization: overwritten with zeros, purged from memory via forced garbage collection, and the binary self-removes from disk. This triple deletion makes forensic recovery of the key post-infection impractical.
The Absence of a Ransom Note as an Anti-Forensic Tactic
"By moving ransom communications entirely out-of-band (through direct email, phone contact, or dark-web victim portals), the actor reduces forensic artifacts and complicates automated detection of the extortion phase" — Threatdown researchers via BleepingComputer
Prinz Eugen implements no functionality to drop ransom notes on the system or alter the desktop wallpaper. Communication occurs through external channels: direct email, phone contact, or a dedicated dark-web victim portal. According to Threatdown researchers, "the absence of a ransom note is a tactic we see more often among organized ransomware groups."
The practical effect is twofold. On one hand, it reduces the local forensic footprint; on the other, it deprives automated detection systems of a classic indicator of extortion. Many EDR and SIEM solutions rely on the appearance of text files with known patterns as an alert trigger. Without this artifact, discovery of the infection may be delayed until users attempt to open encrypted files or until a data-leak phase becomes public.
Hands-on-Keyboard, RMM, and Administrative Persistence
The dossier documents an operational model that excludes pure automation. Attackers employ hands-on-keyboard tactics with legitimate remote monitoring and management tools: RemotePC was observed in at least one incident. Persistence is ensured by creating a backdoor administrator account. Initial access likely occurs via compromised RDP credentials, though the brief does not specify the credential-theft mechanism.
The use of commercial RMM tools and system binaries (living-off-the-land) allows evasion of signature-based detection rules. These tools are signed, legitimate in their intended context, and their presence does not automatically trigger alerts in traditional whitelisting systems. The brief does not document further details on dwell time prior to ransomware deployment or on potential internal reconnaissance phases.
Why It Matters
The dossier does not specify remediation measures or verifiable countermeasures beyond noting the observed behavior. No additional indicators of compromise emerge beyond those cited, nor is the presence of a decryptor documented.
The brief does not quantify the total victim count beyond the five identified, does not detail the industrial sectors targeted, and does not confirm whether data exfiltration systematically precedes encryption in all cases. Victim geography remains largely unspecified, save for the case of Standard Bank. The rationale behind the name "Prinz Eugen" is unknown.
What emerges clearly is a shift in the ransomware landscape toward quieter, more structured operators independent of RaaS marketplaces. Prinz Eugen does not recruit affiliates and does not operate under a criminal franchise. This vertical integration reduces the actor's visibility but presumably increases its capacity for tactical adaptation.
The prioritization of recent files also represents an implicit challenge to traditional backup strategies. The freshest copies are those users tend not to have protected yet, or that reside in active synchronization with repositories vulnerable to encryption.
Frequently Asked Questions
- What is the difference between Prinz Eugen's prioritization and standard sequential encryption?
- Conventional ransomware traverses directories in physical or alphabetical order. Prinz Eugen explicitly sorts by descending timestamp, striking resources presumably in active use first and maximizing immediate operational disruption.
- How does the absence of a ransom note square with the ransom demand?
- Communication occurs exclusively out-of-band via direct channels. Researchers interpret this choice as a deliberate reduction of forensic artifacts and an obstacle to automated detection systems.
- Is Prinz Eugen available as a service for other criminals?
- No. The dossier explicitly documents that the ransomware does not operate as RaaS and that its developers are not recruiting affiliates.
Information is based on the cited advisory and current as of publication.
Sources
- https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/
- https://purple-ops.io/blog/ransomware-tracker-2026
- https://nvd.nist.gov/vuln/detail/CVE-2026-41940
- https://nvd.nist.gov/vuln/detail/CVE-2025-53770
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments
Information is based on the cited source and current as of publication.