Most ransomware wants to encrypt everything it can reach. Prinz Eugen has a more pointed idea: encrypt the files the victim is most likely to need right now.
In an incident investigated by ThreatDown, the new Go-based encryptor processed recently modified files before older ones. That means current project material, fresh exports, active OneDrive content, and recently saved databases can become unavailable before a responder has even finished deciding whether the incident is real.
TL;DR
- ThreatDown analysed Prinz Eugen after investigating an infected customer on May 11, 2026.
- The encryptor prioritises recently modified files, appends
.prinzeugen, and leaves no ransom note on disk.- The observed intrusion included suspected RDP access, RemotePC abuse, PowerShell staging, and a newly created local administrator account.
- Hunt behavior, not only the encrypted extension: interactive remote access followed by PowerShell, account creation, and rapid file-renaming is the useful detection sequence.
The operational trick is the file order
ThreatDown’s analysis found that Prinz Eugen walks supplied directories recursively with no depth limit. The sample it analysed had no configured exclusions, then sorted files by modification time, newest first. Ties were broken alphabetically. ThreatDown’s technical report describes the rationale plainly: recently changed files are more likely to be operationally important and less likely to have a current backup.
That is not a cryptographic breakthrough. It is a pressure tactic. An organisation may still have a clean backup from last night, but losing today’s working documents, exports, mail archives, and shared-drive changes creates an immediate business problem. Recovery planning needs to account for that gap rather than treating a successful backup job as the end of the discussion.
The malware writes an encrypted temporary file, verifies that it can be decrypted, and only then removes the original when launched with --delete. Encrypted files receive the .prinzeugen extension. The reported sample used ChaCha20-Poly1305, a per-file random IV, and an Argon2id → SHA-256 → HKDF-SHA256 key-derivation chain. Those details matter to responders because a corrupt encryption run is not the failure mode to expect here.
No ransom note does not mean no extortion
The analysed binary does not contain functionality to drop a text or HTML ransom note. ThreatDown instead observed an operation consistent with out-of-band extortion: data theft, encryption, a leak site, and direct contact channels. The report links the campaign to activity against Standard Bank Group and Transitions Pro Centre Val de Loire, but victim and actor claims should still be treated as threat-intelligence reporting, not independent proof of every claimed data set.
ThreatDown assesses that the strongest attribution trail points to the handle ROOTBOY, with links to the aliases avtokz and GERMANIA. Its assessment is evidence-based but not a government attribution. The defensive conclusion does not depend on who typed the commands: an attacker who does not leave a note on the desktop can still have stolen data and a working communications channel elsewhere.
The intrusion path defenders should hunt
In the customer incident, ThreatDown suspected compromised RDP credentials as initial access. It then observed the actor use Chrome to download servertool.exe, invoke it with --delete against local and cloud-synchronised directories, abuse RemotePC to run PowerShell stagers, and create an administrator account named germania.
RDP with valid accounts maps directly to MITRE ATT&CK T1021.001. MITRE’s current detection guidance is particularly useful here: alert on an RDP logon followed soon afterwards by unusual process execution, file access, or lateral movement. New local accounts and PowerShell activity are not proof of this ransomware by themselves; combined with a new remote-management tool or file encryption, they are a high-priority incident.
Start with this sequence in your EDR or SIEM:
| Order | Signal to investigate | Why it matters |
|---|---|---|
| 1 | External or unusual RDP logon; new Remote Desktop Users membership | Possible hands-on access using a valid account |
| 2 | New local administrator account, especially outside change windows | Persistence and a recovery path after the original account is blocked |
| 3 | RemotePC spawning PowerShell or a browser downloading an executable | Legitimate remote-management software can become the delivery mechanism |
| 4 | servertool.exe, .prinzeugen, or CHV1 file headers | Direct family indicators from the analysed sample |
| 5 | Rapid creation of renamed files followed by deletion of originals | Encryption moving from a test directory to business data |
ThreatDown also published network and host indicators, including the payload SHA-256 and infrastructure observed during its investigation. Use its IOC section as a time-bounded hunting lead, then validate hits with endpoint telemetry before blocking shared infrastructure.
What to change this week
- Remove public RDP exposure. If remote access is necessary, use a managed gateway or VPN, enforce phishing-resistant MFA, and restrict access to named admin workstations. MITRE specifically recommends MFA, segmentation, and avoiding internet-exposed RDP. T1021.001 mitigations
- Review RemotePC and every other RMM tool as privileged software. Keep an owner, an approved-device list, and alerts for child processes such as PowerShell,
cmd.exe, and unknown download utilities. - Alert on local-account creation and administrator-group changes. In Windows environments, collect Security Event ID 4720 and local-group membership changes; investigate accounts without a ticket, owner, or expiry date.
- Test recovery for today’s data. Restore a recently modified shared folder into an isolated location and measure the real recovery point. Immutable backups are valuable, but they do not undo exfiltration or replace an unmonitored working day.
- Write the containment decision down now. Decide who can isolate endpoints, disable a suspicious account, revoke RMM access, and contact legal or incident-response support. During encryption is the wrong time to discover that those actions need three approvals.
Prinz Eugen is new, but the intrusion pattern is not exotic. Valid remote access, a trusted management tool, PowerShell, a backdoor account, and a targeted encryptor are enough. The useful response is not to wait for a perfect family signature; it is to make that sequence visible and interrupt it before the newest files become the first files gone.
Related Posts
- Ransomware Doesn’t Need to Encrypt Anymore — And That’s the Point — why extortion must be treated as a data-breach problem as well as a recovery problem.
- Ransomware Backup Strategy: Why 93% Who Pay Still Lose Data — building and validating recovery that does not depend on the attacker.
- Rapid Compromise Triage: First 10 Minutes on Linux and Windows — a practical first-response workflow when the signals above appear.