Prinz Eugen Ransomware Targets Your Newest Files First

A new ransomware operation named Prinz Eugen has emerged with an encryption strategy designed to hit victims where it hurts most: their most recently modified files get encrypted first.

Security researchers at Threatdown, Malwarebytes' enterprise cybersecurity division, published an analysis this week detailing the group's tactics after investigating multiple intrusions. The approach ensures that documents, spreadsheets, and databases actively in use—the files employees touched that same day or week—become inaccessible before the victim even realizes an attack is underway.

How Prinz Eugen Operates

The threat actors gain initial access through stolen RDP credentials, a technique that remains one of the most common ransomware entry points despite years of warnings. Once inside, operators manually download and execute a payload named "servertool.exe" rather than relying on automated deployment.

Prinz Eugen employs a hands-on-keyboard approach throughout the attack chain. Operators use legitimate remote management software like RemotePC alongside living-off-the-land binaries already present on Windows systems. They establish persistence by creating backdoor administrator accounts, giving them a fallback if defenders detect and remove the primary payload.

The ransomware itself is written in Go and uses ChaCha20-Poly1305 encryption with 32-byte master keys. Each file receives a random initialization vector, with key derivation handled through a chain of Argon2id, SHA-256, and HKDF-SHA256—a deliberately resource-intensive process that makes brute-force decryption impractical. Files are encrypted in 1MB chunks with SHA-256 integrity verification, and the malware appends the ".prinzeugen" extension to encrypted files.

What sets this variant apart from other ransomware families we've covered recently is its file prioritization logic. The malware sorts potential targets by modification timestamp, processing the newest files first. Files sharing identical timestamps get sorted alphabetically. This means the project you saved five minutes before the attack hits gets encrypted immediately, while that dusty archive from 2019 sits at the back of the queue.

No Ransom Note Left Behind

In another tactical choice, Prinz Eugen drops no ransom note on infected systems. "The absence of a ransom note is a tactic among organized ransomware groups," researchers noted, explaining that this reduces forensic artifacts and forces victims to seek out the attackers' contact information independently.

Victims must reach the group through email at [email protected] or via their dark web portal. The initial ransom demand appears to be around 1 BTC, approximately $66,000 at current prices.

Known Victims

The group has claimed at least five victims since first appearing in February 2026, with three published on their leak site. Standard Bank Group, one of Africa's largest financial institutions, reportedly faced an attack in May where operators exfiltrated 1.2TB of data over three weeks. The bank refused to pay the ransom.

UK-based company Spratley's became another confirmed victim in a June 9 attack. The relatively small victim count suggests Prinz Eugen operates as a closed group without affiliate recruitment—a contrast to the ransomware-as-a-service model that dominates the ecosystem. While groups like Qilin claimed 15 victims in 72 hours last week, Prinz Eugen appears focused on selective, high-value targets.

Why This Matters

The file prioritization strategy reflects an understanding of how businesses actually operate. If ransomware encrypted files alphabetically or randomly, critical work from the past week might survive simply because it happened to be named "Quarterly_Report.xlsx" rather than "2026_Budget.xlsx." By targeting recent modifications, Prinz Eugen maximizes the odds that whatever the victim desperately needs—the presentation due tomorrow, the contract under review, the code pushed yesterday—becomes immediately inaccessible.

The group also takes cleanup seriously. After encryption completes, the malware overwrites its own encryption keys with zeroes and forces garbage collection to prevent recovery from memory. An optional "--delete" flag removes original files entirely after verification, though whether operators use this varies by attack.

Mitigation Recommendations

Organizations should assume that RDP exposed to the internet will be targeted. Multi-factor authentication on all remote access points remains essential, as does monitoring for new local administrator accounts—a telltale sign of Prinz Eugen persistence mechanisms.

Backup strategies should account for ransomware that prioritizes recent files. If your backup window runs nightly, files modified during the business day remain vulnerable to both encryption and data theft. Consider more frequent incremental backups for critical systems, stored offline or in immutable cloud storage that attackers cannot modify even with stolen credentials.

The absence of a ransom note should not delay incident response. If systems begin showing ".prinzeugen" extensions, the attack is well underway regardless of whether explicit ransom demands have arrived.