Major sales and ops overhaul leads to much more activity … for Meow ransomware gang

September 11, 2024 TH Author

The Meow ransomware group has grabbed the second most active gang spot in an unexpected surge in activity following a major brand overhaul.

Meow surfaced in March this year as one of the four main Conti offshoots, but didn’t take off in the same way as its predecessor, consistently falling behind groups such as LockBit and more recently RansomHub.

According to Check Point’s summary of August in the world of cybercrime, Meow claimed nine percent of all global ransomware attacks, putting it ahead of nearly all rivals except RansomHub, which is showing itself to be the LockBit replacement nobody asked for, scooping up swathes of its market share and former affiliates.

However, according to the latest intel, it seems Meow is pulling a Cl0p – focusing less on encrypting victims’ files and instead going straight for data theft.

The group started out as a typical ransomware-as-a-service (RaaS) operation but has since decided to opt for pure extortion methods – simply selling the data it steals from intrusions.

Each victim’s data now has two prices attached to it. Pay one price to access the data, although anyone else can also pay the same and get access to the same files. There is also an option to pay a much larger fee, sometimes double, sometimes triple or quadruple, to receive “exclusive” access to the data – clearly the criminals can lie about this – which is then “delisted” from the leak site that serves as Meow’s data marketplace.

Non-exclusive prices typically range between $4,000 and $10,000, although some recent listings have seen prices as low as $150 and as high as $40,000.

Selling data rather than extorting victims has in the past been seen as a final resort tactic rather than a primary modus operandi. RansomHub’s attack on auction house Christie’s earlier this year ultimately ended in the data allegedly being sold to a bidder rather than being leaked. However, experts at the time said this auction was probably not the success the criminals had hoped for.

More active attacks … but will new tactic work?

Ransomware typically sees files encrypted, victims extorted for a ransom payment, and if that payment isn’t made the data is leaked for free to the public. It shows that the group genuinely did have the data it claimed to have stolen.

Selling this data to private bidders is a more opaque process which by its very nature means the public won’t ever see definitive proof that the data was indeed stolen. Of course, the buyers would know, and if Meow was lying it would swiftly be outed and its reputation left in tatters.

Commenting on the potential success of this tactic, Sergey Shykevich, threat intelligence group manager at Check Point Research, cast doubt over its profitability.

“At this point, we are not sure at all that it is a profitable move rather than a PR/marketing-oriented one,” he told The Register. “It was likely done to differentiate themselves from other groups and apply more pressure on the victims to pay them.

“We doubt it is really profitable, as in many cases, the victims’ information is sold, which is not extremely lucrative and not actionable to other threat actors.”

It has been some time since we’ve seen a major development in ransomware methodology. The last major innovation was arguably the rise of double extortion, and perhaps to a lesser extent the trend of reporting victims to domestic regulators a la ALPHV/BlackCat and more recently Cicada3301. It in unclear whether this move will work for Meow in the long term.

One villain retains top spot, while another refuses to quit

Elsewhere in cyberland, RansomHub continues its reign at the top of the rankings, claiming 15 percent of all global attacks in August, per Check Point’s figures.

RansomHub has emerged as the new leading ransomware brand, replacing LockBit and ALPHV/BlackCat which previously jostled for the helm.

“Last month, RansomHub solidified its position as the top ransomware threat, as detailed in a joint advisory from the FBI, CISA, MS-ISAC, and HHS,” said Check Point. “This RaaS operation has aggressively targeted systems across Windows, macOS, Linux, and especially VMware ESXi environments, using sophisticated encryption techniques.

“RansomHub’s emergence as the top ransomware threat in August underscores the increasing sophistication of ransomware-as-a-service operations. Organizations need to be more vigilant than ever.”

The group widely suspected to be a rebrand of the former Knight operation has scooped up the affiliates that used to ply their trade for the old guard, and who were looking for a new home after both faded into nothingness.

Well, “nothingness” might be a bit of a stretch. That’s certainly the case for ALPHV/BlackCat, which exit-scammed its way out of the ransomware scene following the attack on Change Healthcare, although Cicada3301 seems to be bearing the hallmarks of a possible rebrand here.

However, according to Check Point, LockBit is still lingering despite the operation largely being ripped apart by law enforcement in recent months.

In 8 percent of all attacks in August, the LockBit 3 ransomware strain was responsible. This may not come as too much of a surprise, as the builder was leaked years ago and has been used by all kinds of criminals looking to make a quick buck. Rest assured, though, the operation remains largely hobbled and its affiliates have fled for better opportunities in rival RaaS programs. ®