SURIQ
Two design choices inside the new Prinz Eugen ransomware quietly remove the two signals most security teams rely on to catch an encryption run in progress. It sorts files by modification time and shreds your newest data first. And it drops no ransom note at all. Neither decision is cosmetic. Together they push the moment you notice an attack later in the timeline, sometimes past the point where anything is left to save.
Researchers at Threatdown, the enterprise arm of Malwarebytes, documented the malware on June 20, 2026 after analyzing a live intrusion. The operators work hands-on-keyboard, run legitimate remote-management software, and have already hit at least five organizations. One of them, Standard Bank, was asked for a single Bitcoin and refused to pay.
What Prinz Eugen actually does
The encryptor is written in Go. It encrypts with ChaCha20-Poly1305, using a 32-byte master key and a separate initialization vector for every file, and a key schedule built from Argon2id, SHA-256, and HKDF-SHA256. It processes files in one-megabyte chunks and appends a .prinzeugen extension. It recurses through every reachable directory without limiting depth or skipping file types, so almost everything on a mounted volume is in scope.
The selection order is the unusual part. Instead of marching through the filesystem alphabetically or by folder, it ranks files by their last-modified timestamp and encrypts the freshest first. When two files share a timestamp, it falls back to alphabetical order. Threatdown reads this as a pressure tactic: the files you touched today are the ones you most need back.
Initial access in the case they examined came from stolen Remote Desktop Protocol credentials. The operators dropped a payload named servertool.exe, installed the legitimate RemotePC remote-management tool, and created a backdoor administrator account for persistence. This is not a ransomware-as-a-service crew renting to affiliates. It is a closed operation running its own intrusions on Windows hosts. So far three victims appear on its leak portal, with more known to investigators.
Newest files first is a detection decision, not just pressure
Most teams that deploy canary files to catch ransomware seed them once and leave them alone. That is the whole point: an untouched trap file that suddenly changes is a high-confidence alarm. But a file seeded months ago and never opened carries an old modification timestamp. An encryptor that sorts by modification time reaches that stale canary near the end of its run, after it has already destroyed the data you actually use. The trap still fires. It just fires as a post-mortem.
The same ordering inverts your backup math. Recency-first encryption targets exactly the files with the worst recovery point objective: the ones changed since last night's job ran and not yet copied anywhere. Even a run that defenders interrupt halfway has, by design, already hit the least recoverable data first. Uniform nightly backups do not help here. The active datasets need a tighter cadence than the archive, because those are the files Prinz Eugen comes for first.
No ransom note pushes your detection window earlier
A ransom note is the loudest signal in a ransomware incident, and it sits at the very end of the kill chain. Plenty of SOC playbooks still carry a backstop alert on note creation: a flood of identical text files, a changed wallpaper, a known note filename. Prinz Eugen writes none of that. The extortion happens out of band, by direct email or phone or through the leak portal, which keeps forensic artifacts down and means the loud late signal never arrives.
If the last alarm is gone, detection has to move upstream. The reliable signals for this intrusion sit earlier and are behavioral: a remote-management tool launching on a host that has never run one, a new local administrator account appearing outside a change window, a burst of file rewrites across a share in minutes, remote-desktop logons from an unfamiliar source. None of those depend on the malware announcing itself. This is the same lesson as attackers who ship endpoint-defense evasion as a product: when the loud signal is gone, the quiet behavioral one is all you have.
That argues for provenance-based detection of remote-management tools, not presence-based. Most networks run such a tool legitimately, so "RemotePC is installed" is noise. "RemotePC started on a server that never had it, and a new admin account followed" is the signal. Suriq builds detection on Wazuh for this reason: file integrity monitoring catches the mass-rewrite burst, and Windows event collection catches the account creation, well before any portal message lands. We have written about that choice before.
What to do this week
- Close the Remote Desktop front door. This crew gets in with valid Remote Desktop credentials. Put it behind a VPN or gateway, require multi-factor authentication, and alert on logons from new geographies or impossible-travel pairs.
- Baseline your remote-management tools. Inventory which tool is sanctioned on which hosts, then alert when any of them starts somewhere it has never run. Treat RemotePC specifically as suspect on servers that have no business running it.
- Alert on new local administrators. Account creation and privilege changes outside a change window are the persistence step here. Wire Windows event IDs 4720 and 4732 into your alerting.
- Watch for mass file change, not for notes. A canary that sorts to the end will not save you. Detect the behavior: a single process rewriting hundreds of files across a share in a short window.
- Tighten backups on hot data. Recency-first encryption punishes long backup intervals on active files. Shorten the cadence on the datasets that change daily, and test that you can actually restore them.
- Give extortion a non-technical intake. The first contact may be an email or call to a finance or legal contact, not a SOC ticket. Make sure that path routes to incident response fast.
Prinz Eugen is not technically exotic. The cryptography is standard, the way in is mundane, as INC ransomware showed, and the tooling is bought off the shelf. What makes it worth your attention is that two small design choices were made specifically to blunt the way defenders watch for ransomware. Expect other crews to copy both. The teams that move their detection off the ransom note and onto the behavior will be the ones that notice in time.