Meow Ransomware Evolves into Data Extortion
Threat Details and Score
Threat Group: Meow, also known as MeowCorp and MeowLeaks, a ransomware group derived from NB65 (itself based on Conti v2's leaked source code).
Threat Type: Ransomware/Data Extortion.
Exploited Vulnerabilities: Weak RDP configurations, phishing campaigns, compromised software (e.g., VMware and Jenkins), deceptive downloads, botnets, malvertising, web injections, fake updates, and infected installers.
Malware Used: Meow ransomware with ChaCha20 and RSA-4096 encryption algorithms, though recent attacks are more focused on data theft without encryption.
Threat Score: High (7.5/10) due to persistent targeting of sensitive industries (healthcare, education) and the shift towards selling stolen data rather than traditional encryption-based extortion.
Last Threat Observation: Active as of September 2024, with at least nine victims reported so far this year.
Overview
The Meow ransomware group, first identified in August 2022, continues to pose a significant threat in 2024 despite changes in tactics. Initially leveraging encryption-based ransomware, the group has shifted towards data extortion without encryption in its latest campaigns. Meow ransomware’s lineage traces back to Conti v2, and it employs the ChaCha20 and RSA-4096 encryption algorithms. Early operations saw victims paying ransoms to decrypt files, but recent activity has moved towards selling stolen data, primarily targeting sectors like healthcare and education.
Key Details:
- Active Years: August 2022 - Present (resurgence in 2024).
- Encryption Algorithms: ChaCha20 and RSA-4096 used in earlier strains.
- Ransom Note: Titled “readme.txt” with repeated “MEOW! MEOW! MEOW!” phrases.
- Victims: The group has primarily targeted organisations in the U.S., with recent victims including healthcare and educational institutions.
- Shift in Tactics: The group now often sells stolen data instead of using encryption, with prices ranging from $2,999 to $60,000.
Attack Vectors:
- Email Phishing: Malicious attachments and links.
- Unprotected RDP: Exploiting weak remote desktop configurations.
- Compromised Software: Use of vulnerabilities in unpatched systems (e.g., VMware, Jenkins).
Known Indicators of Compromise (IoCs):
- File Extensions: Encrypted files use the
.MEOW
extension. - Ransom Note: “readme.txt” included in the attack.
- URLs (Onion) (Defanged):
- hxxp://meow6xanhzfci2gbkn3lmbqq7xjjufskkdfocqdngt3ltvzgqpsg5mid[.]onion/
- hxxp://totos7fquprkecvcsl2jwy72v32glgkp2ejeqlnx5ynnxvbebgnletqd[.]onion
- Sample File Hashes:
- SHA-256:
- fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9
- 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f
- b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
- MD5:
- 8f154ca4a8ee50dc448181afbc95cfd7
- 4dd2b61e0ccf633e008359ad989de2ed
- 3eff7826b6eea73b0206f11d08073a68
- 1d70020ddf6f29638b22887947dd5b9c
- 033acf3b0f699a39becdc71d3e2dddcc
- 0bbb9b0d573a9c6027ca7e0b1f5478bf
- SHA-256:
Mitigation and Prevention:
- Patch Management: Regularly update RDP configurations and software vulnerabilities.
- Backups: Maintain and test offline backups to ensure rapid recovery without paying ransoms.
- Network Segmentation: Isolate critical systems to prevent lateral movement.
- Employee Training: Educate staff about phishing attacks and social engineering.
Conclusion:
Meow ransomware has evolved from a traditional encryption-based ransomware operation into a data extortion group. By exploiting weak systems and leveraging the Conti v2 source code, Meow continues to pose a serious threat, particularly in critical sectors. Organisations must remain vigilant by strengthening network defences, educating employees, and maintaining robust backup strategies.
Sources:
- SOCRadar: Dark Web Profile: Meow Ransomware
- The Register: Meow ransomware sees surge of activity
- Broadcom Security: Meow Ransomware Overview
- WatchGuard Technologies: MEOW! Ransomware Profile