In late 2022, 4 ransomware strains were discovered that are derived from Conti‘s leaked ransomware strain. One of them was Meow ransomware. The operation of this crypto-ransomware was observed from late August to the first half of September 2022 and persisted until February 2023. In March 2023, a free decryptor for the Meow ransomware was released, leading to the cessation of their operation.
2022 年底,发现了 4 种源自 Conti 泄露的勒索软件毒株的勒索软件毒株。其中之一是 Meow 勒索软件。从 2022 年 8 月下旬到 9 月上半月观察到这种加密勒索软件的运行,并一直持续到 2023 年 2 月。2023 年 3 月,发布了 Meow 勒索软件的免费解密器,导致其停止运行。
At the time the incident occurred, Kaspersky suggested that a modified Conti strain was likely employed to encrypt 257 victims, with 14 of them paying the attackers to regain access to their data. The private keys used for decryption were generated between November 13, 2022, and February 5, 2023, indicating the timeframe of the attacks.
在事件发生时,卡巴斯基表示,可能使用修改后的Conti菌株来加密257名受害者,其中14人向攻击者付费以重新获得对其数据的访问权限。用于解密的私钥是在 2022 年 11 月 13 日至 2023 年 2 月 5 日之间生成的,表明了攻击的时间范围。
A group named Meow is still active, and has made a relatively rapid entry into 2024 and has nine victims in 2024 so far. Although it does not seem to be a group that does not work with the RaaS model, they have three listed victims in March 2024 alone, and the institutions they target are not small targets.
一个名为 Meow 的组织仍然活跃,并且已经相对较快地进入了 2024 年,到目前为止,到 2024 年已有 9 名受害者。虽然它似乎不是一个不使用 RaaS 模型的团体,但他们仅在 2024 年 3 月就有三名列出的受害者,他们针对的机构也不是小目标。
With no recent instances of sample encryptors being detected, the latest iteration of Meow ransomware could potentially operate solely as an extortion group, assuming it is the same entity. Therefore, we can’t state definitively whether Meow, the group still active, is a direct continuation of the previous operation -MeowCorps.
由于最近没有检测到样本加密器的实例,因此 Meow 勒索软件的最新版本可能仅作为勒索组织运行,假设它是同一个实体。因此,我们无法明确地说明仍然活跃的组织 Meow 是否是之前行动 – MeowCorps 的直接延续。
However, much like the Snatch group, they are probably adept hackers but lack the skills in malware development. Their ransomware was compromised after the release of the decryptor, but they haven’t managed to create a more sophisticated strain.
然而,就像 Snatch 组织一样,他们可能是熟练的黑客,但缺乏恶意软件开发的技能。他们的勒索软件在解密器发布后遭到破坏,但他们还没有设法创建更复杂的菌株。
All recent victims listed on their leak site mention data extraction without any mention of encryption. There hasn’t been any indication of ransomware being employed in their operations, and their website is currently named Meow Leaks.
其泄密网站上列出的所有最近的受害者都提到了数据提取,而没有提到加密。没有任何迹象表明他们的运营中使用了勒索软件,他们的网站目前被命名为 Meow Leaks。
The only aspect raising our doubts is that the Conti-based Meow encryptor targeted many Russian organizations initially. Consequently, some sources labeled them as an anti-Russian extortion group. However, their current choice of victims differs significantly from this characterization.
唯一引起我们怀疑的方面是,基于 Conti 的 Meow 加密器最初针对许多俄罗斯组织。因此,一些消息来源将他们标记为反俄勒索集团。然而,他们目前对受害者的选择与这种描述有很大不同。
Who is Meow Ransomware?
谁是 Meow Ransomware?
Initially identified in August 2022, the Meow ransomware, associated with the Conti v2 variant, disappeared for a while after March of 2023, but a similar in name group surfaced in late 2023 and they remain highly active in 2024. They maintain a data leak site where they list 24 victims. Its dark web presence displays a limited roster of victims, but only those who haven’t paid the ransom are shown.
最初于 2022 年 8 月发现的与 Conti v2 变体相关的 Meow 勒索软件在 2023 年 3 月之后消失了一段时间,但在 2023 年底出现了一个类似的名称组,它们在 2024 年仍然非常活跃。他们维护着一个数据泄露网站,其中列出了 24 名受害者。它的暗网显示的受害者名单有限,但只显示那些没有支付赎金的人。
Once operating under different names like MeowCorp, MeowLeaks, or just Meow, it employed the ChaCha20 algorithm to encrypt data on compromised servers. Victims are then instructed to contact the extortionists through email or Telegram to receive instructions on paying the ransom and recovering their files. The title of the ransom note included the phrase “MEOW! MEOW! MEOW!” and “meowcorp2022” reiterated in the login credentials as of their initial ransomware strain in 2022.
曾经以 MeowCorp、MeowLeaks 或 Meow 等不同名称运行,它使用 ChaCha20 算法来加密受感染服务器上的数据。然后指示受害者通过电子邮件或电报联系勒索者,以接收有关支付赎金和恢复文件的说明。赎金票据的标题包括“喵喵!猫叫声!喵喵��
Victimology 受害者学
Compared to the old Meow, victim preferences are quite different. Their country target list is not extensive; the vast majority of their targets are in the US, with 17 attacks recorded. Meanwhile, Morocco has experienced 2 attacks, while Canada, UK, Italy, Nigeria, and Singapore each have 1 victim.
与老喵喵相比,受害者的偏好大不相同。他们的国家目标清单并不广泛;他们的绝大多数目标都在美国,记录了 17 次攻击。与此同时,摩洛哥经历了 2 次袭击,而加拿大、英国、意大利、尼日利亚和新加坡各有 1 名受害者。
They are likely selecting targets with sensitive data since they cannot rely on encryption for extorting payment. Industries such as Healthcare and Medical Research are frequently targeted in their attacks.
他们可能会选择具有敏感数据的目标,因为他们不能依靠加密来勒索付款。医疗保健和医学研究等行业经常成为攻击的目标。
They posted the above statement on their data leak site while disclosing the data of a victim who indicated intentions to pay. They explained that the purported reason for the failed agreement was an “unprepared ransomware negotiator.”
他们在数据泄露网站上发布了上述声明,同时披露了表示打算付款的受害者的数据。他们解释说,协议失败的所谓原因是“毫无准备的勒索软件谈判代表”。
Based on the content of the data, a price is assigned, and potential buyers are invited to reach out to them.
根据数据内容,分配价格,并邀请潜在买家与他们联系。
On their data leak sites, only the contact section exists, excluding victim listings.
在他们的数据泄露网站上,只有联系部分存在,不包括受害者列表。
Modus Operandi 做法
Let’s examine the period when Meow ransomware was capable of encrypting data with ransomware. As stated before, a variant stemming from leaked code of Conti-2 Ransomware encrypted data on compromised servers using the ChaCha20 algorithm. It demanded ransom payments from victims through various communication channels such as email or Telegram.
让我们来看看 Meow 勒索软件能够使用勒索软件加密数据的时期。如前所述,源自 Conti-2 Ransomware 代码泄露的变体使用 ChaCha20 算法在受感染的服务器上加密数据。它通过电子邮件或电报等各种通信渠道要求受害者支付赎金。
The ransomware was initially observed towards the end of August and the beginning of September 2022 and remained active until February 2023. The encrypted files bore the “.MEOW” extension, and the ransom note was named “readme.txt.”
该勒索软件最初是在 2022 年 8 月底和 9 月初观察到的,并一直活跃到 2023 年 2 月。加密文件带有“.喵喵“的扩展名,赎金票据被命名为”readme.txt”。
The ransom note, marked with the repeated phrase “MEOW! MEOW! MEOW!”, instructed victims to contact the extortionists via specified email addresses and Telegram accounts to negotiate ransom payments and retrieve their encrypted files.
赎金票据上标有重复的短语“喵喵!猫叫声!喵喵!“,指示受害者通过指定的电子邮件地址和电报帐户联系勒索者,以协商赎金支付并取回他们的加密文件。
Meow ransomware spread through various means, including unprotected Remote Desktop Protocol (RDP) configurations, email spam with malicious attachments, deceptive downloads, botnets, exploits, malvertising, web injections, fake updates, and infected installers. The ransomware encrypted a wide range of file types, excluding “.exe” and note text files. The encrypted files were typically found in user folders and temporary directories.
Meow 勒索软件通过各种方式传播,包括未受保护的远程桌面协议 (RDP) 配置、带有恶意附件的垃圾邮件、欺骗性下载、僵尸网络、漏洞利用、恶意广告、网络注入、虚假更新和受感染的安装程序。勒索软件加密了多种文件类型,不包括“.exe”和笔记文本文件。加密文件通常位于用户文件夹和临时目录中。
There haven’t been captured pulse or malware samples regarding their purported ongoing operations, Vanderbilt University Medical Center, one of the recent affected entities, issued a statement. A spokesperson for VUMC acknowledged that they were addressing a cyber incident but refrained from disclosing when it took place, whether it involved ransomware, or the extent of the impact resulting from the attack.
最近受影响的实体之一范德比尔特大学医学中心(Vanderbilt University Medical Center)发表声明说,尚未捕获有关其声称正在进行的操作的脉冲或恶意软件样本。VUMC的一位发言人承认,他们正在处理一起网络事件,但没有透露事件发生的时间,是否涉及勒索软件,或者攻击造成的影响程度。
Mitigation Strategy: Data Protection Focus
缓解策略:数据保护重点
Given the evolving tactics of the Meow data extortion team, particularly their shift towards data sales instead of encryption-based ransomware attacks, it’s crucial to adapt mitigation strategies to prioritize data protection. Here’s a comprehensive approach:
鉴于 Meow 数据勒索团队不断发展的策略,特别是他们转向数据销售而不是基于加密的勒索软件攻击,调整缓解策略以优先考虑数据保护至关重要。下面是一个全面的方法:
Data Classification and Encryption:
数据分类和加密:
- Implement robust data classification policies to identify sensitive information, especially in industries like Healthcare and Medical Research, which are prime targets.
实施强大的数据分类策略以识别敏感信息,尤其是在医疗保健和医学研究等行业,这些行业是主要目标。 - Encrypt sensitive data both at rest and in transit using strong encryption algorithms to mitigate the impact of unauthorized access.
使用强大的加密算法对静态和传输中的敏感数据进行加密,以减轻未经授权访问的影响。
Access Control and Least Privilege:
访问控制和最低权限:
- Enforce strict access controls to limit data access to authorized personnel only.
实施严格的访问控制,将数据访问限制为仅授权人员。 - Follow the principle of least privilege, ensuring that individuals only have access to the data necessary for their roles.
遵循最小权限原则,确保个人只能访问其角色所需的数据。
Network Segmentation and Monitoring:
网络分段和监控:
- Segment networks to contain potential breaches and limit lateral movement within the network.
对网络进行分段,以遏制潜在的违规行为并限制网络内的横向移动。 - Implement continuous network monitoring using Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) tools to detect anomalous activities indicative of data exfiltration attempts.
使用入侵检测系统 (IDS) 和安全信息和事件管理 (SIEM) 工具实施持续网络监控,以检测指示数据外泄尝试的异常活动。
Employee Training and Awareness:
员工培训和意识:
- Conduct regular training sessions to educate employees about the latest phishing tactics, social engineering techniques, and other methods used by threat actors.
定期举办培训课程,向员工介绍最新的网络钓鱼策略、社会工程技术以及威胁参与者使用的其他方法。 - Foster a culture of cybersecurity awareness where employees are encouraged to report suspicious activities promptly.
培养网络安全意识文化,鼓励员工及时报告可疑活动。
Incident Response Plan: 事件响应计划:
- Develop and regularly update an incident response plan tailored to address data breaches and extortion attempts.
制定并定期更新事件响应计划,以解决数据泄露和勒索企图。 - Establish clear protocols for responding to incidents, including communication procedures, legal considerations, and coordination with law enforcement agencies.
建立明确的事件响应协议,包括沟通程序、法律考虑以及与执法机构的协调。
Backup and Recovery: 备份和恢复:
- Implement a robust backup and recovery strategy to ensure data availability in the event of a ransomware attack or data breach.
实施强大的备份和恢复策略,以确保在发生勒索软件攻击或数据泄露时数据可用性。 - Regularly test backup systems to verify their integrity and effectiveness in restoring critical data.
定期测试备份系统,以验证其在恢复关键数据方面的完整性和有效性。
Vendor and Third-Party Risk Management:
供应商和第三方风险管理:
- Assess the security posture of vendors and third-party partners with access to sensitive data.
评估有权访问敏感数据的供应商和第三方合作伙伴的安全状况。 - Require vendors to adhere to strict security standards and undergo regular security assessments.
要求供应商遵守严格的安全标准,并定期进行安全评估。
By implementing these mitigation strategies, organizations can enhance their resilience against data extortion threats posed by groups like Meow, safeguarding sensitive data and minimizing the impact of potential breaches. Regular evaluation and adaptation of these measures are essential to stay ahead of evolving cyber threats.
通过实施这些缓解策略,组织可以增强其抵御 Meow 等组织构成的数据勒索威胁的弹性,保护敏感数据并最大限度地减少潜在违规行为的影响。定期评估和调整这些措施对于领先于不断变化的网络威胁至关重要。
SOCRadar Use Cases Against a Data Breach
针对数据泄露的 SOCRadar 用例
SOCRadar offers a powerful solution for detecting and mitigating data leaks and credential compromises, safeguarding your business against cyber threats. By continuously monitoring the web, including both surface and dark web sources, SOCRadar swiftly identifies any exposure of sensitive information such as employee emails, customer login details, and credit card numbers.
SOCRadar 提供了一个强大的解决方案,用于检测和缓解数据泄露和凭据泄露,保护您的企业免受网络威胁。通过持续监控网络,包括表面和暗网资源,SOCRadar 可以迅速识别任何敏感信息的暴露,例如员工电子邮件、客户登录详细信息和信用卡号。
Moreover, in addition to its many other features, SOCRadar prioritizes critical security incidents, helping your team focus resources where they’re most needed. By ensuring compliance with GDPR regulations and protecting intellectual property, SOCRadar provides comprehensive threat intelligence to fortify your organization’s defenses against data extortion teams like Meow.
此外,除了许多其他功能外,SOCRadar 还优先考虑关键安全事件,帮助您的团队将资源集中在最需要的地方。通过确保遵守 GDPR 法规和保护知识产权,SOCRadar 提供全面的威胁情报,以加强您的组织对 Meow 等数据勒索团队的防御。
Possible MITRE ATT&CK TTPs of Meow Ransomware
Meow Ransomware 的可能 MITRE ATT&CK TTP
Listed below are the TTPs obtained in the analysis of the Meow ransomware strain and their current possible TTPs.
下面列出了在分析 Meow 勒索软件菌株及其当前可能的 TTP 中获得的 TTP。
IoCs related to Meow Strain
与喵喵菌株相关的 IoC
The following are the IoCs for the now decrypted strain of the Meow group; An attack by the new extortion group has not been publicly reviewed.
以下是现已解密的 Meow 组菌株的 IoC;新敲诈勒索集团的攻击尚未得到公开审查。
SHA-256: SHA-256:
- fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9
- 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f
- 7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099
- 5a936250411bf5709a888db54680c131e9c0f40ff4ff04db4aeda5443481922f
- 222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853
- b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
SHA-1: SHA-1:
- 59e756e0da6a82a0f9046a3538d507c75eb95252
- 987ad5aa6aee86f474fb9313334e6c9718d68daf
- 94a9da09da3151f306ab8a5b00f60a38b077d594
- 5949c404aee552fc8ce29e3bf77bd08e54d37c59
- 578b1b0f46491b9d39d21f2103cb437bc2d71cac
- 4f5d4e9d1e3b6a46f450ad1fb90340dfd718608b
MD5: MD5:
- 8f154ca4a8ee50dc448181afbc95cfd7
- 4dd2b61e0ccf633e008359ad989de2ed
- 3eff7826b6eea73b0206f11d08073a68
- 1d70020ddf6f29638b22887947dd5b9c
- 033acf3b0f699a39becdc71d3e2dddcc
- 0bbb9b0d573a9c6027ca7e0b1f5478bf
原文始发于socradar:Dark Web Profile: Meow Ransomware