A new ransomware operation has been identified, focusing on encrypting recent files while leaving no ransom note behind. The investigation by Threatdown, Malwarebytes’ enterprise cybersecurity arm, revealed that the Prinz Eugen hackers employ a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
Initial Access and Payload Execution
According to the researchers, initial access is likely achieved through stolen RDP credentials. The manual download and execution of the main payload, ‘servertool.exe,’ follows this step. In an investigated incident, the researchers observed the use of the RemotePC RMM tool and a backdoor administrator account that provided persistence.
Data Encryption and Exfiltration
Unlike many modern extortion operations, Prinz Eugen does not operate under the ransomware-as-a-service (RaaS) model. The threat actor’s data leak site only lists three victims, each one showing that the hackers engage in data encryption, exfiltration, or both. However, the cybersecurity community is aware of more organizations impacted by Prinz Eugen ransomware.
File Encryption Approach
An analysis of a Prinz Eugen attack revealed that the Go-based malware prioritizes the encryption of the most recently modified files. When multiple files share the same timestamp, they are processed in alphabetical order. This approach is intended to maximize the impact on victims by targeting files that are more likely to be business-critical and in active use.
Encryption Process and Key Handling
The analyzed sample checks directories recursively with no depth limit and no exclusions, and encrypts virtually every file except those with the .prinzeugen extension. The ransomware employs ChaCha20-Poly1305 encryption with a 32-byte master key, a random initialization vector for each file, and a key derivation function based on Argon2id, SHA-256, and HKDF-SHA256.
Absence of Ransom Note and Extortion Phase
The researchers noticed that when the malware uses the –delete flag to delete the original file after encrypting it, a check occurs to make sure that the file can be decrypted before removing it from the system. The absence of a ransom note is a tactic seen more often among organized ransomware groups, reducing forensic artifacts and complicating automated detection.
Indicators of Compromise and Detection
The researchers identified at least five Prinz Eugen victims, saying that in the case of the Standard Bank breach, the attacker demanded a ransom of 1 BTC and was refused. ThreatDown’s report provides a list of indicators of compromise to help both organizations and researchers analyze, detect, and defend against Prinz Eugen ransomware attacks.
Conclusion
The Prinz Eugen ransomware operation demonstrates a hands-on-keyboard approach with a focus on encrypting recent files and avoiding the use of ransom notes. The absence of a ransom note is a tactic to reduce forensic artifacts and complicate automated detection, making it essential for organizations to be aware of this new threat.
Source: Original article