Prinz Eugen Ransomware Targets Recent Files First in Go-Based Attack

A newly identified ransomware operation dubbed ‘Prinz Eugen’ is turning heads in the cybersecurity community for an unusual encryption strategy: prioritizing recently modified files over older ones. Researchers at Threatdown, the enterprise arm of Malwarebytes, found that the Go-based malware recursively scans directories with no depth limit and no exclusions, then sorts targets by modification timestamp, processing files with identical timestamps in alphabetical order. The threat actors appear to deliberately target business-critical documents that are in active use, amplifying pressure on victims to pay.

The operation stands out for its hands-on-keyboard tradecraft. Investigators believe initial access is achieved through stolen RDP credentials, followed by the manual deployment of the main payload, ‘servertool.exe.’ Operators leverage legitimate remote monitoring and management (RMM) software, specifically the RemotePC tool, alongside a backdoor administrator account for persistence. Unlike most modern extortion groups, Prinz Eugen does not operate under a ransomware-as-a-service model and is not recruiting affiliates. Organizations concerned about exposed remote desktop services can audit their attack surface using a port scanner to identify open RDP endpoints, while employees should verify credential hygiene with a password checker to prevent reuse of compromised logins.

Technically, the encryptor uses ChaCha20-Poly1305 with a 32-byte master key, a per-file random initialization vector, and a key derivation chain built on Argon2id, SHA-256, and HKDF-SHA256. Files are encrypted in 1 MB chunks with integrity verified via SHA-256 hashing. When the ‘--delete‘ flag is invoked, the malware confirms a file can be decrypted before securely wiping the original—then overwriting the encryption key with zeroes, forcing garbage collection, and self-deleting from disk to frustrate forensic recovery. Encrypted files receive a .prinzeugen extension.

Prinz Eugen’s data leak site currently lists only three victims, though researchers note additional impacted organizations exist. Each entry shows the group engaging in data encryption, exfiltration, or both—blending traditional ransomware with double-extortion tactics. While the operation remains relatively small, its sophisticated encryption pipeline, careful operational security, and focus on high-value files make it a threat defenders should monitor closely.