New Prinz Eugen ransomware prioritizes recent files for encryption

Key Points:

• Prinz Eugen ransomware targets recently modified files for encryption, utilizing stolen RDP credentials for initial access and legitimate remote monitoring tools for execution.
• The impact includes potential data loss and operational disruption, as the ransomware encrypts critical business files without leaving a ransom note, complicating recovery efforts.
• Recommended actions include implementing strong RDP credential policies, monitoring for unusual RMM tool usage, and enhancing detection capabilities to identify unauthorized file encryption activities.

Technical Details: Prinz Eugen employs ChaCha20-Poly1305 encryption with a unique key derivation function and checks file integrity using SHA-256. The malware deletes original files post-encryption while ensuring they can be decrypted first.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Initial Access)
• T1021.001 - Remote Services: Remote Desktop Protocol (Initial Access)
• T1486 - Data Encrypted for Impact (Impact)

IOCs Mentioned:

• None mentioned