Prinz Eugen Ransomware Silently Encrypts Critical Business Files Without Ransom Notes

A newly discovered ransomware operation called Prinz Eugen is taking an unusual approach to file encryption, according to new research from Malwarebytes’ ThreatDown team.

Unlike many ransomware families that leave ransom notes and immediately announce their presence, Prinz Eugen focuses on silently encrypting recently modified files, likely to maximize disruption by targeting the most valuable and actively used business data.

Prinz Eugen targets recently modified files

ThreatDown researchers say Prinz Eugen appears to prioritize files that organizations are currently working with rather than encrypting data indiscriminately. This strategy can increase operational damage because recently modified files often contain active projects, financial records, and other business-critical information.

The ransomware appends the “.prinzeugen” extension to encrypted files and uses strong encryption methods. Researchers found that the malware verifies files can be decrypted before removing the original copies, helping ensure victims cannot easily recover their data without the attackers’ involvement.

Attackers appear to operate manually

According to the report, Prinz Eugen does not appear to function as a typical ransomware-as-a-service (RaaS) platform. Researchers found no evidence that the operators are recruiting affiliates or offering the malware to other cybercriminals.

Instead, the group seems to rely on a hands-on-keyboard approach, where attackers manually control significant portions of the intrusion. Initial access is believed to occur through compromised Remote Desktop Protocol (RDP) credentials.

In one investigated incident, the attackers deployed RemotePC remote management software and created a hidden administrator account to maintain access to the compromised network.

No ransom note, no wallpaper changes

One of the most unusual aspects of Prinz Eugen is what it does not do.

The ransomware does not drop a ransom note and does not replace the victim’s desktop wallpaper, two tactics commonly used by ransomware groups to announce an attack and provide payment instructions.

Researchers believe this may be intentional. By avoiding traditional ransom notes, the attackers leave behind fewer forensic artifacts and reduce the chances that automated security tools will immediately identify the attack as ransomware.

Instead, victims may receive extortion demands through direct emails, phone calls, or dedicated dark web communication portals.

Malware attempts to remove evidence

The ransomware is written in the Go programming language and recursively scans directories without major exclusions or depth limitations.

After completing encryption, Prinz Eugen attempts to cover its tracks. Researchers observed the malware wiping encryption keys from memory and deleting its own executable from disk, making forensic investigations more difficult.

The group’s public leak site currently lists only three victims. However, ThreatDown believes the actual number is likely higher.

Researchers identified at least five affected organizations, including Standard Bank. In that case, the attackers reportedly demanded 1 Bitcoin as ransom, but the payment request was refused.

Indicators of compromise published

To help organizations defend against the threat, ThreatDown has released indicators of compromise (IOCs) and technical details that security teams can use to detect Prinz Eugen activity within their environments.

The researchers recommend monitoring for suspicious RDP activity, unauthorized administrator account creation, unexpected remote management software installations, and files carrying the “.prinzeugen” extension.

The discovery comes amid a busy period for cybersecurity incidents. Recently, Nintendo reportedly dealt with a ransomware-related attack, researchers warned that Wallpaper Engine is being abused to distribute malware, and Microsoft continues working on mitigations for the RougePlanet exploit.

Via BleepingComputer