New Prinz Eugen ransomware breaches organizations via stolen RDP credentials
Researchers at ThreatDown have detailed a new ransomware operation called Prinz Eugen that breaks from convention in two ways: it prioritizes recently modified files for encryption, hitting the data victims most likely still need, and it leaves no ransom note on the system. The operators break in manually using stolen RDP credentials, deploy remote management tools, steal data for double extortion, and encrypt with a modern cipher combination. At least five victims have been identified, including South Africa's Standard Bank, where the attacker demanded one bitcoin and was refused. The lack of a ransom note can delay detection and complicate incident response.
- Check
- Review internet-exposed RDP and remote-access services for weak or reused credentials and missing MFA, and check for unauthorized remote management tools and unexpected encryption of recently modified files.
- Affected
- Organizations exposing RDP or remote access with weak authentication; Prinz Eugen has hit at least five victims so far, including financial institutions, entering through stolen RDP credentials and hands-on intrusion.
- Fix
- Require phishing-resistant MFA on all remote access, restrict and monitor RDP, control remote management tools through allowlisting, segment networks, and keep tested offline backups to recover without paying.