Emerging Threat Actor: Meow Ransomware

According to the Power Rankings: Ransomware Malicious Quartile report, Meow ransomware, also known as MeowLeaks or MeowCorp, first surfaced in 2022 and is believed to be a spinoff from the notorious Conti ransomware gang.  

Initially a small and relatively obscure operation, Meow has undergone a rapid evolution, shifting its tactics from traditional ransomware deployment to a data-centric extortion model. This transformation reflects broader trends within the ransomware ecosystem, where groups increasingly prioritize data exfiltration over file encryption to exert pressure on victims and maximize profits.

Evolution and Tactical Shifts

Meow's early operations resembled a typical Ransomware-as-a-Service (RaaS) model, utilizing encryption to lock victims' files and appending the "MEOW" extension to compromised data.  

The ransomware predominantly encrypted files using ChaCha20 combined with RSA-4096, targeting both Windows and Linux systems, including virtualization platforms like VMware ESXi. Their encryption methodology notably neglected plain text and ".exe" files, focusing on more critical data to incentivize ransom payments.

Victims were contacted via email or Telegram to initiate ransom negotiations, a common practice among RaaS groups. Meow leveraged phishing campaigns, exploited vulnerabilities in Remote Desktop Protocol (RDP), and compromised widely used software such as VMware and Jenkins to gain unauthorized access to victim networks.

However, a significant shift occurred in recent months as Meow transitioned from encryption-based extortion to a data exfiltration-focused model. This strategic overhaul mirrors the tactics of groups like BianLian, emphasizing the theft of sensitive information for extortion without deploying traditional ransomware payloads.  

This change has led to a surge in attack volume, with Meow accounting for 9% of all global ransomware incidents in August 2024, marking them as one of the most active ransomware groups during that period.

Target Profile and Operational Footprint

Meow has expanded its victim profile considerably, targeting industries that manage highly sensitive data, including healthcare, medical research, education, and government institutions. Notably, they claimed responsibility for a high-profile attack on the Superior Court of California in Sonoma County, underscoring their willingness to target critical public sector entities.

The group's activities in 2024 were particularly aggressive, with significant data exfiltration incidents reported across sectors handling personal and financial information. This escalation aligns with their broader strategy to maintain visibility and exert continuous pressure on victims within the ransomware ecosystem.

Data Extortion Business Model

Meow operates under a distinctive data extortion model, offering stolen information through a tiered pricing structure designed to maximize revenue and victim compliance. Victims—or interested third parties—can purchase access to the compromised data at a standard fee.  

Alternatively, Meow offers an exclusive access option at a significantly higher price, ensuring that only one buyer obtains the stolen data, thus increasing the urgency and pressure on the original victim to pay for privacy and control.

Pricing for data access varies widely, reflecting the value of the targeted information and the victim's profile. Observed transactions on the dark web range from as low as a few hundred dollars to as high as $40,000, with common price points between $4,000 and $10,000.  

This flexible pricing model allows Meow to adapt their extortion demands based on the perceived sensitivity and marketability of the stolen data.

Authenticity Concerns and Data Brokering Activities

Recent analyses have raised concerns about the authenticity of some of Meow's breach claims. Investigations revealed a troubling pattern: several attacks attributed to Meow closely match previously confirmed breaches linked to the BlackSuit ransomware group.  

This overlap suggests that Meow may be functioning, at least in part, as a data broker, leveraging previously compromised data to bolster their attack portfolio and maintain an appearance of operational dominance.

While it is not uncommon for ransomware groups to recycle data or exaggerate their capabilities, the confirmed nature of these overlaps is notable. This discovery complicates the assessment of Meow's true operational capabilities and raises questions about the extent of their involvement in the breaches they claim.

Notable victims include the Superior Court of California, San Francisco Ballet, Karman Inc., Equator Worldwide, Houston Housing authority, Sanglier Limited, Advantage CDC, MaxDream, MacGillivray Law, Community Hospital of Anaconda and more.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.