Meow Ransomware Evolves into Data Extortion

Threat Details and Score
Threat Group: Meow, also known as MeowCorp and MeowLeaks, a ransomware group derived from NB65 (itself based on Conti v2's leaked source code).
Threat Type: Ransomware/Data Extortion.
Exploited Vulnerabilities: Weak RDP configurations, phishing campaigns, compromised software (e.g., VMware and Jenkins), deceptive downloads, botnets, malvertising, web injections, fake updates, and infected installers.
Malware Used: Meow ransomware with ChaCha20 and RSA-4096 encryption algorithms, though recent attacks are more focused on data theft without encryption.
Threat Score: High (7.5/10) due to persistent targeting of sensitive industries (healthcare, education) and the shift towards selling stolen data rather than traditional encryption-based extortion.
Last Threat Observation: Active as of September 2024, with at least nine victims reported so far this year.

Overview

The Meow ransomware group, first identified in August 2022, continues to pose a significant threat in 2024 despite changes in tactics. Initially leveraging encryption-based ransomware, the group has shifted towards data extortion without encryption in its latest campaigns. Meow ransomware’s lineage traces back to Conti v2, and it employs the ChaCha20 and RSA-4096 encryption algorithms. Early operations saw victims paying ransoms to decrypt files, but recent activity has moved towards selling stolen data, primarily targeting sectors like healthcare and education.

Key Details:

• Active Years: August 2022 - Present (resurgence in 2024).
• Encryption Algorithms: ChaCha20 and RSA-4096 used in earlier strains.
• Ransom Note: Titled “readme.txt” with repeated “MEOW! MEOW! MEOW!” phrases.
• Victims: The group has primarily targeted organisations in the U.S., with recent victims including healthcare and educational institutions.
• Shift in Tactics: The group now often sells stolen data instead of using encryption, with prices ranging from $2,999 to $60,000.

Attack Vectors:

• Email Phishing: Malicious attachments and links.
• Unprotected RDP: Exploiting weak remote desktop configurations.
• Compromised Software: Use of vulnerabilities in unpatched systems (e.g., VMware, Jenkins).

Known Indicators of Compromise (IoCs):

• File Extensions: Encrypted files use the .MEOW extension.
• Ransom Note: “readme.txt” included in the attack.
• URLs (Onion) (Defanged):
  • hxxp://meow6xanhzfci2gbkn3lmbqq7xjjufskkdfocqdngt3ltvzgqpsg5mid[.]onion/
  • hxxp://totos7fquprkecvcsl2jwy72v32glgkp2ejeqlnx5ynnxvbebgnletqd[.]onion
• Sample File Hashes:
  • SHA-256:
    • fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9
    • 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f
    • b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
  • MD5:
    • 8f154ca4a8ee50dc448181afbc95cfd7
    • 4dd2b61e0ccf633e008359ad989de2ed
    • 3eff7826b6eea73b0206f11d08073a68
    • 1d70020ddf6f29638b22887947dd5b9c
    • 033acf3b0f699a39becdc71d3e2dddcc
    • 0bbb9b0d573a9c6027ca7e0b1f5478bf

Mitigation and Prevention:

1. Patch Management: Regularly update RDP configurations and software vulnerabilities.
2. Backups: Maintain and test offline backups to ensure rapid recovery without paying ransoms.
3. Network Segmentation: Isolate critical systems to prevent lateral movement.
4. Employee Training: Educate staff about phishing attacks and social engineering.

Conclusion:

Meow ransomware has evolved from a traditional encryption-based ransomware operation into a data extortion group. By exploiting weak systems and leveraging the Conti v2 source code, Meow continues to pose a serious threat, particularly in critical sectors. Organisations must remain vigilant by strengthening network defences, educating employees, and maintaining robust backup strategies.

Sources:

1. SOCRadar: Dark Web Profile: Meow Ransomware
2. The Register: Meow ransomware sees surge of activity
3. Broadcom Security: Meow Ransomware Overview
4. WatchGuard Technologies: MEOW! Ransomware Profile