Standard Bank: New Prinz Eugen ransomware prioritizes recent files for encryption

Standard Bank: New Prinz Eugen ransomware prioritizes recent files for encryption

New Prinz Eugen Ransomware Targets Recently Modified Files, Skips Ransom Notes

A newly identified ransomware operation, Prinz Eugen, is employing a stealthy and targeted approach to encryption, prioritizing recently modified files while avoiding traditional ransom notes. Discovered by Threatdown (Malwarebytes’ enterprise cybersecurity team), the group operates with a hands-on-keyboard style, leveraging legitimate remote monitoring and management (RMM) tools and living-off-the-land techniques to evade detection.

Initial access is believed to occur via stolen RDP credentials, followed by the manual deployment of the servertool.exe payload. In one observed attack, the threat actors used the RemotePC RMM tool and created a backdoor administrator account for persistence. Unlike most modern ransomware groups, Prinz Eugen does not follow the ransomware-as-a-service (RaaS) model and is not actively recruiting affiliates.

The ransomware, written in Go, encrypts files based on modification timestamps, processing the most recently altered files first likely to maximize disruption by targeting active, business-critical data. When multiple files share the same timestamp, they are encrypted in alphabetical order. The malware scans directories recursively without depth limits or exclusions, encrypting nearly all files except those already marked with the .prinzeugen extension.

Encryption is performed using ChaCha20-Poly1305 with a 32-byte master key, a per-file random initialization vector, and a key derivation process involving Argon2id, SHA-256, and HKDF-SHA256. Files are encrypted in 1 MB chunks, with integrity verified via SHA-256 hashing. Before deleting the original file (when the --delete flag is used), the malware ensures the encrypted version can be decrypted. To prevent key recovery, it overwrites the encryption key with zeroes, forces garbage collection to clear memory, and self-deletes from disk.

Notably, Prinz Eugen does not drop a ransom note or alter the desktop wallpaper a tactic increasingly adopted by organized ransomware groups to minimize forensic traces and complicate automated detection. Instead, extortion communications are conducted out-of-band, via direct email, phone, or dark web portals.

As of now, Prinz Eugen’s leak site lists only three victims, though researchers are aware of additional impacted organizations. In one case involving Standard Bank, the attackers demanded 1 BTC, which was reportedly refused. The group’s current activity suggests a focused, low-volume approach, distinguishing it from larger RaaS operations. Indicators of compromise have been shared to aid detection and defense efforts.

Source: https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/

Standard Bank TPRM report: https://www.rankiteo.com/company/international-organization-for-standardization-iso-

"id": "int1781972623",
"linkid": "international-organization-for-standardization-iso-",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Banking',
                        'name': 'Standard Bank',
                        'type': 'Financial Institution'}],
 'attack_vector': 'Stolen RDP credentials',
 'data_breach': {'data_encryption': 'ChaCha20-Poly1305 with Argon2id, SHA-256, '
                                    'and HKDF-SHA256',
                 'sensitivity_of_data': 'High (business-critical)',
                 'type_of_data_compromised': 'Business-critical files, '
                                             'recently modified data'},
 'description': 'A newly identified ransomware operation, Prinz Eugen, is '
                'employing a stealthy and targeted approach to encryption, '
                'prioritizing recently modified files while avoiding '
                'traditional ransom notes. The group uses legitimate remote '
                'monitoring and management (RMM) tools and living-off-the-land '
                'techniques to evade detection. Initial access is via stolen '
                'RDP credentials, followed by manual deployment of the '
                'servertool.exe payload. The ransomware encrypts files based '
                'on modification timestamps and does not drop ransom notes, '
                'conducting extortion communications out-of-band.',
 'impact': {'data_compromised': 'Business-critical data, files with recent '
                                'modifications',
            'operational_impact': 'Disruption of active business operations'},
 'initial_access_broker': {'backdoors_established': 'Backdoor administrator '
                                                    'account',
                           'entry_point': 'Stolen RDP credentials'},
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Stolen RDP credentials, use of '
                                           'legitimate RMM tools (e.g., '
                                           'RemotePC) for persistence'},
 'ransomware': {'data_encryption': True,
                'ransom_demanded': '1 BTC (Standard Bank case)',
                'ransom_paid': 'Refused (Standard Bank case)',
                'ransomware_strain': 'Prinz Eugen'},
 'references': [{'source': 'Threatdown (Malwarebytes’ enterprise cybersecurity '
                           'team)'}],
 'threat_actor': 'Prinz Eugen',
 'title': 'Prinz Eugen Ransomware Targets Recently Modified Files',
 'type': 'Ransomware'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.