THREAT ACTOR

Meow

6
THREAT LEVEL
EMERGENCE DATE
Aug 2022
CATEGORY
Closed Group
Data Extortion Only
AFFILIATIONS

Conti v2 derivative (one of four major branches). Unclear RaaS platform status. Also known as MeowCorps, MeowLeaks, Meow2022

DEscription

Meow ransomware emerged in August 2022 as a prominent data extortion group, evolving from the leaked Conti v2 source code to achieve second position globally among ransomware threats by August 2024. The group has fundamentally transformed from traditional encryption-based ransomware to operating a data marketplace platform, implementing AI-powered pricing and e-commerce interfaces while targeting healthcare, financial services, and manufacturing sectors. Following a disruptive free decryptor release in March 2023, operations abandoned encryption entirely in favor of data-only extortion, demonstrating operational adaptability.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Data Extortion Group (formerly Ransomware-as-a-Service)

Technical analysis reveals 66% code similarity with the original Conti codebase, placing the group among four major derivatives from the Conti v2 source code leak alongside BlueSky, ScareCrow, and Putin Team. Initially operating as a Ransomware-as-a-Service (RaaS) platform, the transition to a data-only extortion model represents a significant operational shift.

Current Status: As of October 2025, Meow's activity and operational levels have tapered off, raising questions about the group's trajectory and future operations.

Threat Level:
6

Origins and Methodology

The ransomware landscape witnessed a unique evolution through this group's transformation from encryption to marketplace operations. Initial deployment utilized a ChaCha20 + RSA-4096 hybrid encryption system, but operations faced disruption when a free decryptor became available.

Marketplace operations now include AI-powered pricing algorithms, user registration systems, and dual pricing models offering standard access fees versus exclusive premiums. Data marketplace pricing ranges from hundreds of dollars to $40,000 depending on value. This operational model positions the group as a paradigm shift in ransomware economics, moving from service disruption to data monetization.

What is the Evolution of Meow Ransomware?
0.1
Formation

Operations began using the leaked Conti v2 source code, establishing presence through exploitation of misconfigured databases and phishing campaigns.

0.2
EVOLUTION

The group's transformation occurred in distinct phases: traditional ransomware operations utilizing ChaCha20 encryption, followed by complete abandonment of encryption for data marketplace operations. The group initially employed living-off-the-land (LotL) techniques and open-source tools for lateral movement and execution.

0.3
Lineage/Connections

Direct descendant of Conti ransomware with 66% functional code similarity. No dedicated CISA or FBI advisories issued despite achieving prominent global position.

Which Unique Techniques Does Meow Use?

TECHNIQUE

DETAILS

Infection Vectors

Multiple initial access methods include exploitation of public-facing applications (T1190), particularly targeting misconfigured Elasticsearch and MongoDB databases, external remote services (T1133) through unsecured RDP configurations, and phishing campaigns (T1566) with malicious attachments. Focus is on misconfigurations, brute-force RDP attacks, and credential stuffing rather than CVEs.

Target Selection

Primary targets include healthcare organizations, financial services (especially credit unions and regional banks), and manufacturing SMBs. Geographic reach spans North America, Europe, and Asia-Pacific.

Operational Complexity

Advanced capabilities demonstrated through automated Python scanning scripts, MegaSync data exfiltration, compromises of VMware and Jenkins platforms, and a comprehensive marketplace infrastructure with e-commerce functionality. Uses living-off-the-land techniques and open-source tools.

Key Features & Technical Details

FEATURE

DETAILS

Encryption Methods

ChaCha20 stream cipher + RSA4096 (historical); .MEOW file extension

Double Extortion

Complete transition to data-only extortion without encryption as of 2024

Cross-Platform

Windows, Linux, and VMware ESXi targeting capabilities

Monetization

Dual pricing structure: $4,000–$10,000 standard vs exclusive premiums; AI-powered valuation

Behavioral Patterns

Automated database scanning, rapid data exfiltration, AI-powered pricing

File Exclusions

Often neglects to encrypt .exe and plain text files

Recovery Prevention

Deletes Volume Shadow Copies and backup systems

Activities

Activities maintain a consistent tempo with evolution from traditional ransomware to becoming a prominent data marketplace operator. Recent activity demonstrates targeted selection focusing on organizations with valuable data repositories suitable for marketplace monetization. Intelligence indicates expansion of operations with enhanced technical capabilities and marketplace infrastructure improvements.

Which Industries Are Most Vulnerable to Meow?

Healthcare organizations face elevated risk due to extensive PHI/PII databases and regulatory compliance pressures. Financial services, particularly regional institutions, attract targeting for high-value financial records and customer data suitable for marketplace operations. Manufacturing sector organizations experience targeting due to intellectual property and operational technology data that commands premium marketplace prices.

HAL Most Recent Attacks

Modus Operandi

Data theft operations follow systematic patterns beginning with automated reconnaissance of vulnerable systems, culminating in marketplace monetization without encryption deployment.

Details

T1190 - Exploit Public-Facing Application (Elasticsearch, MongoDB); T1566 - Phishing; T1133 - External Remote Services (RDP)

Details

T1059 - Python automation scripts; T1047 - Windows Management Instrumentation

Details
Details

T1027 - Code obfuscation; T1562.001 - PowerTool32/64.exe security disabling

Details
Details
Details
Details

T1020 - Automated exfiltration; T1041 - MegaSync C2 channel

Details
Details

Data theft without encryption; marketplace publication with AI pricing

Details
Details
Details

Indicators of Compromise (IOCs)

INDICATOR

DETAILS

File Hashes

222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853 (SHA256), 5949c404aee552fc8ce29e3bf77bd08e54d37c59 (SHA1), 033acf3b0f699a39becdc71d3e2dddcc (MD5)

Communication

meowcorp2022aol.com, meowcorp2022@proton.me, @meowcorp2022, @meowcorp123

File Extension

.MEOW

Registry

Persistence mechanisms via standard Windows autostart locations

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

N/A

N/A

N/A

No specific CVEs exploited; operations focus on misconfiguration abuse and open services