TL;DRAI

Prinz Eugen ransomware prioritizes recently modified files, bypasses RDP security with legitimate RMM tools, and avoids ransom notes to evade detection. Operating outside the RaaS model with targeted, hands-on attacks, it forces enterprises to strengthen RDP controls and behavioral monitoring.

A new ransomware operation named ‘Prinz Eugen’ prioritizes recently modified files for encryption and leaves no ransom note on the system.

An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.

According to the researchers, initial access is likely achieved through stolen RDP credentials, followed by the manual download and execution of the main payload, ‘servertool.exe.’

In an investigated incident, the researchers observed the use of the RemotePC RMM tool and a backdoor administrator account that provided persistence.

Unlike many modern extortion operations, Prinz Eugen does not operate under the ransomware-as-a-service (RaaS) model, and its developers are not currently recruiting affiliates.

bleepingcomputer.com

New Prinz Eugen ransomware prioritizes recent files for encryption

A new ransomware operation named 'Prinz Eugen' prioritizes recently modified files for encryption and leaves no ransom note on the system.

sabato 20 giugno 2026 New tab

TL;DRAI

608 words~3 min read

A new ransomware operation named ‘Prinz Eugen’ prioritizes recently modified files for encryption and leaves no ransom note on the system.

According to the researchers, initial access is likely achieved through stolen RDP credentials, followed by the manual download and execution of the main payload, ‘servertool.exe.’

In an investigated incident, the researchers observed the use of the RemotePC RMM tool and a backdoor administrator account that provided persistence.

Unlike many modern extortion operations, Prinz Eugen does not operate under the ransomware-as-a-service (RaaS) model, and its developers are not currently recruiting affiliates.

New Prinz Eugen ransomware prioritizes recent files for encryption

New Prinz Eugen ransomware prioritizes recent files for encryption

Other newsrooms on this story

Related reading

New Ransomware Threat - Industry4o.com

The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

Gentlemen ransomware uses multiple EDR killers to disable defenses

Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

Cosa e quali sono i principali ransomware, e come difendersi - Cybersecurity360

New 'Mistic' RAT Opens Door to Several Ransomware Families

Other newsrooms on this story

Related reading

New Ransomware Threat - Industry4o.com

The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

Gentlemen ransomware uses multiple EDR killers to disable defenses

Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

Cosa e quali sono i principali ransomware, e come difendersi - Cybersecurity360

New 'Mistic' RAT Opens Door to Several Ransomware Families