The MEOW! (meow, MeowCorp, MeowCorp2022) ransomware is a derivative of the NB65 ransomware, and since NB65 is an altered Conti v2 variant, this follows suit. The Conti v2 source code leaked from an alleged Ukrainian hacker after the group publicly expressed support for Russia during the Russia-Ukraine war. The Conti v2 ransomware used a combination of ChaCha20 and RSA-4096 to encrypt files. ChaCha20 is used to encrypt the files because it's a significantly quicker stream cipher than an asymmetric encryption algorithm like RSA-4096, which is used to encrypt the ChaCha20 key. The MEOW! ransomware shares all of these characteristics. In tandem with the encryption event, the MEOW! ransomware drops a ransom note named "readme.txt" and provides at least seven known methods of communication for extortion negotiations: four emails and three telegram accounts. Security researcher Amigo-A followed the actions of the threat actor(s) distributing MEOW! and other similar variants of NB65, dubbing them the Anti-Russian Extortion Group. This is shown in the Threat Actors variable below.
Ransomware - MEOW!
MEOW!
Aliases
Meow
MeowCorp
MeowCorp2022
Decryptor Available
Yes
Description
Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Lineage
Threat Actors
Tipo
Actor
Cybergroup
Anti-Russian Extortion Group
Extortion Types
Direct Extortion
Medio
Identificativo
Email
Email
Email
Email
Telegram
@meowcorp2022
Telegram
@meowcorp123
Telegram
@meowcorp321
Encryption
Type
Hybrid
Files
ChaCha20
Key
RSA-4096
File Extension
<file name>.MEOW
Ransom Note Name
readme.txt
Ransom Note Image
Samples (SHA-256)
222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853
Decryptors
References & Publications
BleepingComputer Forums: Meow Ransomware (.MEOW) Support Topic - Ransomware Help & Tech Support
Kaspersky Club Forum [RU]: server hacked and encrypted .MEOW files!
The Crypto-Ransomware Digest: Meow