A new ransomware activity called ‘Prinz Eugen’ prioritizes newly modified files for encryption and leaves no ransom note on the system.
An investigation from Threatdown, Malwarebytes’ corporate cybersecurity arm, found that the Prinz Eugen hackers have a keyboard style and prefer to use official monitoring and management (RMM) software and offshore tools.
According to the researchers, the first access is likely achieved through compromised RDP credentials, followed by manual downloads and execution of the main executable, ‘servertool.exe.’
In the case investigated, the researchers observed the use of the RemotePC RMM tool and a background administrator account providing persistence.
Unlike many modern ransomware operations, Prinz Eugen does not operate under a ransomware-as-a-service (RaaS) model, and its developers do not currently employ an affiliate.
Unlike most ransomware, Prinz Eugen is not ransomware-as-a-service (RaaS), or at least the developers are not currently looking for affiliates.
Currently, the threat actor’s data leak site lists only three victims, each of which indicates that the hackers participated in data encryption, exfiltration, or both. However, the cybersecurity community is aware of many organizations affected by the Prinz Eugen ransomware.
Source: BleepingComputer
Encryption strategy
Analysis of the Prinz Eugen attack revealed that the Go-based malware prioritizes the encryption of recently modified files. If multiple files share the same timestamp, they are processed in alphabetical order.
Threatdown researchers believe that this method is intended to increase the impact on victims by targeting files that are likely to be more important to the business and be used continuously, increasing the pressure to pay the ransom.
The analyzed sample repeatedly scans the directory with no depth limit and no exceptions, and encrypts almost all files except those with the .prinzeugen extension, which Prinz Eugen uses for encrypted files.
Source: Malwarebytes
The ransomware uses ChaCha20-Poly1305 encryption with a 32-byte master key, a random initialization vector for each file, and a key extraction function based on Argon2id, SHA-256, and HKDF-SHA256.
The encryption process is performed in 1 MB chunks, and the integrity of the file is checked using the SHA-256 hash function.
Source: Malwarebytes
The researchers noted that if the malware uses the –delete flag to delete the original file after encrypting it, a check is made to ensure that the file can be decrypted before removing it from the system.
To prevent the encryption key from being recovered, the Prinz Eugen ransomware zeros it out, forces garbage collection to remove it from memory, and then deletes itself from disk.
Analysis of the encryptor did not show the functionality of dropping the text ransom note or changing the desktop wallpaper. Threatdown researchers say the absence of a ransom note “is a tactic we see frequently among organized ransomware groups.”
This is often done to reduce the forensic trail and make it more difficult for the fraudulent activity to be detected automatically.
“By removing the ransom communication completely out-of-band (via direct email, phone contact, or dark web victim sites), the actor reduces artifacts and makes it difficult to automatically detect the phishing phase,” the researchers said.
Researchers have identified at least five victims of Prinz Eugen, saying that in the case of the Standard Bank breach, the attacker demanded a ransom of 1 BTC and was refused.
The ThreatDown report provides a list of indicators of compromise to help organizations and researchers analyze, detect, and protect against Prinz Eugen ransomware attacks.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
