Meow is a ransomware/extortion threat associated with Conti-derived code. Reporting in the provided content describes Meow ransomware as a variant of Conti that appends the ".MEOW" extension to encrypted files and uses the ChaCha20 encryption algorithm, while excluding .exe and text files. Infection and access vectors mentioned for Meow include unprotected RDP, email spam, and malicious downloads. Separate reporting in the content states that Meow later operated as a data-extortion-focused threat actor, also referred to as MeowLeaks or MeowCorp, first emerging in late 2022 and believed to be a Conti spinoff due to code similarities. That reporting says the group transitioned to a pure extortion model in which it steals sensitive data and publishes it on its leak site without deploying file-encrypting malware. The content also places Meow among active ransomware/extortion groups targeting U.S. organizations, including small and mid-sized U.S. organizations, and notes it was among the more active groups in U.S. ransomware victim reporting in 2024. A mutex name reused by DragonForce was noted as having previously been used by Meow and LockBit Green, further supporting linkage to Conti-based ransomware code. Aliases explicitly mentioned in the content are MeowLeaks and MeowCorp.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware group referenced as a source of copied victim entries used in a scam/impersonation campaign.
Named ransomware group/family referenced as part of the set of groups whose victim lists were allegedly copied by a fake 'resurrected Babuk' operation.
Conti-based ransomware family referenced because it shares a mutex naming convention also seen in DragonForce samples.
Meow is a data extortion group, originally using ransomware but now focused on stealing and leaking sensitive data. It primarily targets small and mid-sized organizations in healthcare and financial services.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.