Cybersecurity experts observed the emergence of a concerning trend in which ransomware attacks leveraging malware created with an open-source tool called “Prince Ransomware.”

This Go-language builder was freely available on GitHub, significantly lowering the technical barrier for attackers to launch sophisticated ransomware campaigns.

The tool’s architecture enables even those with limited technical expertise to generate fully functional ransomware by simply modifying a configuration file to customize elements like ransom notes and encrypted file extensions.

Attack vectors vary by deployment, but in documented cases, attackers combined Prince-built ransomware with defense evasion techniques like “Bring Your Own Vulnerable Driver” (BYOVD) and lateral movement tools such as SharpGPOAbuse to maximize impact across networks.

This combination has proven particularly effective, allowing threat actors to disable security products and spread ransomware throughout organizational networks.

WithSecure Labs security analysts noted multiple instances of Prince Ransomware-based attacks, including a prominent case in February 2025, when Taiwan’s Mackay Memorial Hospital fell victim to “CrazyHunter” ransomware.

The initial infection vector was reportedly a USB device inserted into a hospital computer, leading to the encryption of over 600 devices across two branches, severely disrupting hospital operations and patient care.

Prince Ransomware

The researchers found that Prince Ransomware generates variants with minimally modified ransom notes, demonstrating how little customization is needed to deploy new ransomware strains.

The default ransom note template requires just simple text editing:

---------- Prince Ransomware ----------
Your files have been encrypted using Prince Ransomware!
They can only be decrypted by paying us a ransom in cryptocurrency.
Encrypted files have the .prince extension.
IMPORTANT: DO not modify or rename encrypted files, as they may become unrecoverable.
Contact us at the following email address to discuss payment.
[email protected]
---------- Prince Ransomware -------------

The encryption mechanism employed by Prince Ransomware demonstrates considerable sophistication. It utilizes a hybrid approach combining ChaCha20 and ECIES cryptography.

For each file, the builder generates a unique ChaCha20 key and nonce, then encrypts using a pattern where 1 byte is encrypted followed by 2 bytes left unencrypted.

The ChaCha20 key and nonce are encrypted using an ECIES public key and appended to the file beginning, making decryption without the private key extremely difficult.

This architecture represents a significant evolution in the ransomware threat landscape, enabling a new generation of cyber attackers to deploy sophisticated encryption capabilities with minimal technical knowledge.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free

The post Prince Ransomware – An Open Source Ransomware Builder That Automatically Build Ransomware Freely Available in GitHub appeared first on Cyber Security News.

​The original article found on Cyber Security News Read More