A new ransomware family, Prinz Eugen, demonstrates how extortion attacks are becoming increasingly targeted. The malware does not simply encrypt all files it encounters; it prioritizes recently modified files. This allows attackers to directly target information that is often the most business-critical for organizations.
Researchers from the ThreatDown security division analyzed the ransomware after a client fell victim to an attack in May. The malware is written in Go, a programming language increasingly popular among cybercriminals for its flexibility and platform independence.
What sets Prinz Eugen apart is the way it selects files. The malware first targets the most recently modified files. When multiple files have the same timestamp, they are processed in alphabetical order. According to the researchers, this is intended to increase the pressure on victims by encrypting current documents, project files, and other frequently used data first.
The malware scans all folders without any depth restrictions and makes virtually no exceptions. Only files with the .prinzeugen extension are skipped.
No ransom note
The extortion method also differs from customary practice. While ransomware groups typically leave a ransom note, Prinz Eugen does not. Communication takes place outside the infected system.
The absence of a ransom note makes forensic investigation more difficult and can delay detection of the attack. Furthermore, by conducting communication via email, phone, or a victim portal, fewer digital traces are left behind.
According to the analysis, attackers often gain access using stolen RDP credentials. The ransomware is then manually deployed via a file named servertool.exe. In doing so, the attackers use legitimate management and monitoring software and so-called “living-off-the-land” techniques.
In one attack investigated, RemotePC was among the tools used. In addition, the attackers used a hidden administrator account to maintain access to the network. This approach makes detection more difficult, as many activities resemble routine system administration.
Prinz Eugen does not appear to be a ransomware-as-a-service operation at this time. Unlike many well-known ransomware groups, there are no indications that the developers use or recruit affiliates.
The group’s public leak site currently lists three victims. However, researchers have identified at least five affected organizations, suggesting that not all attacks are being made public. The researchers also see indications of a connection to an actor known as ROOTBOY, who is also active under the name avtokz. Definitive proof of this is still lacking.
Low Ransom Demand
One known victim is Standard Bank Group. The attacker demanded 1 bitcoin in ransom, but the bank refused to pay. That amount is approximately $107,000 and is significantly lower than the multi-million-dollar claims that major ransomware groups regularly make these days, reports BleepingComputer.
The malware employs various techniques to hinder investigation. For example, Prinz Eugen deletes itself after encryption completes and wipes the key material from memory.
Notably, the ransomware first checks whether an encrypted file can actually be decrypted before deleting the original. By doing so, the attackers reduce the risk of irreparable file damage.