Ransomware Attack on South American Tours by Meow Ransomware Group

South American Tours (SAT), a well-established Destination Management Company (DMC) specializing in comprehensive travel services across South America, has recently fallen victim to a ransomware attack orchestrated by the notorious Meow ransomware group. The attack has resulted in the compromise of 350 MB of sensitive data, including employee information, client details, scanned payment documents, personal data, and medical referral documents. The attackers are demanding a ransom of $16,000 for the release of the encrypted data.

About South American Tours

Founded in 1973, SAT has built a network with fully owned offices in key South American countries, including Argentina, Brazil, Chile, Colombia, Ecuador, Peru, and Uruguay. The company operates primarily as a B2B entity, providing customized travel arrangements for both groups and individual travelers. SAT's offerings include round trips, incentive travel, cruise handling services, and a Seat-in-coach Tours Program. The company is known for its personalized service, allowing clients to tailor their itineraries to meet specific interests and preferences.

With a team of approximately 13 employees, SAT prides itself on its deep knowledge of South America, supported by experienced professionals. This expertise enables the company to deliver high-quality travel experiences that highlight the unique cultures and landscapes of the continent. SAT's commitment to quality and local expertise has made it a leading DMC in South America.

Details of the Attack

The ransomware attack on SAT was carried out by the Meow ransomware group, which has been active since late 2022. The group is associated with the Conti v2 ransomware variant and has targeted various industries, primarily in the United States. Meow ransomware employs a combination of the ChaCha20 and RSA-4096 algorithms to encrypt data on compromised systems. The group maintains a data leak site where they list victims who have not paid the ransom.

In the case of SAT, the attackers have threatened to release the stolen data if the ransom is not paid. The breach poses a significant threat to SAT's reputation and the privacy of its clients and employees. The compromised data includes sensitive information that could have severe implications if exposed.

Meow Ransomware Group

Meow ransomware distinguishes itself by targeting industries with sensitive data, such as healthcare and medical research. The group uses various infection methods, including phishing emails, exploit kits, Remote Desktop Protocol (RDP) vulnerabilities, and malvertising. Once a system is compromised, the ransomware encrypts files and leaves behind a ransom note instructing victims to contact the group via email or Telegram to negotiate the ransom payment.

Security researchers have identified the threat actors behind Meow ransomware as the "Anti-Russian Extortion Group," likely due to their targeting of entities in response to the Russia-Ukraine war. A decryption tool called RakhniDecryptor, built upon the leaked Conti v2 source code, has been released by Kaspersky and can be used to decrypt files encrypted by Meow ransomware.

• SOCRadar - Dark Web Profile: Meow Ransomware
• SalvageData - Meow Ransomware
• Alvaka - Meow Ransomware Recovery Services
• WatchGuard - Meow Ransomware
• South American Tours - Official Website