GoKawiilA new ransomware operation named ‘Prinz Eugen’ prioritizes recently modified files for encryption and leaves no ransom note on the system.
An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
According to the researchers, initial access is likely achieved through stolen RDP credentials, followed by the manual download and execution of the main payload, ‘servertool.exe.’
In an investigated incident, the researchers observed the use of the RemotePC RMM tool and a backdoor administrator account that provided persistence.
Unlike many modern extortion operations, Prinz Eugen does not operate under the ransomware-as-a-service (RaaS) model, and its developers are not currently recruiting affiliates.
Unlike most extortion operations, Prinz Eugen is not a ransomware-as-a-service (RaaS), or at least the developers are not currently looking for affiliates.
Currently, the threat actor's data leak site only lists three victims, each one showing that the hackers engage in data encryption, exfiltration, or both. However, the cybersecurity community is aware of more organizations impacted by Prinz Eugen ransomware.
Currently listed victims on the Prinz Eugen site
Source: BleepingComputer
Encryption strategy
... continue reading