Threat Research

Dark Web Profile: Meow Ransomware – SOCRadar® Cyber Intelligence Inc.

Securonix

Meow ransomware emerged from Conti’s leaked code and operated from late 2022 to early 2023, with a decryptor released in March 2023 that led to the operation’s cessation. The group has remained active into 2024, shifting from encryption to data exfiltration and data sale on its Meow Leaks site, targeting primarily US organizations and data-sensitive sectors like healthcare and medical research. #MeowRansomware #Conti

Keypoints

  • Meow ransomware originated in 2022 as a variant derived from Conti’s leaked code and was active from late August 2022 to February 2023; a free decryptor appeared in March 2023, leading to the operation’s end.
  • Kaspersky noted 257 encrypted victims with 14 paying; private keys were generated between November 13, 2022 and February 5, 2023, signaling the attack window.
  • The group remained active in 2024, with nine victims reported and several March 2024 incidents, suggesting continued extortion activity, though not clearly aligned with a traditional RaaS model.
  • Victimology shows a US focus (17 attacks) with a handful of targets in Morocco (2) and single incidents in Canada, the UK, Italy, Nigeria, and Singapore; healthcare and medical research are frequently targeted due to sensitive data.
  • Modus operandi included ChaCha20 encryption, .MEOW file extensions, and a ransom note named readme.txt; victims were instructed to contact extortionists via email or Telegram.
  • There is evidence of a shift toward data extortion; Meow Leaks lists victims and data sale attempts, with prices and “victim shaming” tactics, rather than straightforward encryption.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used as part of initial access alongside other vectors; “The ransomware spread through various means, including unprotected Remote Desktop Protocol (RDP) configurations, email spam with malicious attachments, deceptive downloads, botnets, exploits, malvertising, web injections, fake updates, and infected installers.”
  • [T1133] External Remote Services – Initial access via exposed remote services such as unprotected RDP configurations.
  • [T1566] Phishing – Initial access via email spam with malicious attachments.
  • [T1129] Shared Modules – Mentioned in the article’s MITRE mapping as a technique category.
  • [T1027] Obfuscated Files or Information – Used to conceal ransomware components.
  • [T1027.005] Indicator Removal from Tools – Techniques to evade detection via removing traces from tools.
  • [T1036] Masquerading – Tricks to appear legitimate or legitimate-looking processes/files.
  • [T1497] Virtualization/Sandbox Evation – Avoiding sandbox/virtualization analyses during infection.
  • [T1056] Input Capture – Data entry-related capture techniques during intrusions.
  • [T1057] Process Discovery – Discovery of running processes within the compromised environment.
  • [T1082] System Information Discovery – Gathering system information to tailor the attack.
  • [T1083] File and Directory Discovery – Locating files and directories to encrypt or exfiltrate.
  • [T1518.001] Security Software Discovery – Detecting installed security tools to evade defenses.
  • [T1080] Taint Shared Content – Manipulation or tainting of shared resources/content during movement.
  • [T1041] Exfiltration Over C2 Channel – Exfiltrating data over the command-and-control channel.
  • [T1071] Application Layer Protocol – C2 communications over application-layer protocols.
  • [T1573] Encrypted Channel – Encrypted communications for C2 traffic.
  • [T1486] Data Encrypted for Impact – Encryption of data to cause impact (historical operation).

Indicators of Compromise

  • [SHA-256] IoCs – The decrypted Meow strain provides multiple SHA-256 hashes; context indicates their association with the strain’s samples. fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9, 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f, and 4 more hashes
  • [SHA-1] IoCs – Context indicates association with the Meow strain; 59e756e0da6a82a0f9046a3538d507c75eb95252, 987ad5aa6aee86f474fb9313334e6c9718d68daf, and 4 more hashes
  • [MD5] IoCs – Context indicates association with the Meow strain; 8f154ca4a8ee50dc448181afbc95cfd7, 4dd2b61e0ccf633e008359ad989de2ed, and 4 more hashes

Read more: https://socradar.io/dark-web-profile-meow-ransomware/