MEOW Ransomware: Complete Guide

MEOW ransomware is a malicious software variant that has garnered attention for its disruptive activities in the cyber threat landscape. Stemming from the notorious Conti ransomware, MEOW represents a modified iteration that inherits its core functionalities and encryption techniques.

Conti, an infamous ransomware-as-a-service operation, was active for several years until its abrupt shutdown in May 2022. The source code for Conti was leaked in March of the same year, giving rise to subsequent variants, including MEOW.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against malware attacks. And, in case of a malware attack, contact our malware recovery experts immediately.

MEOW ransomware overview

The ransomware is known to target and encrypt a wide range of files, appending the file extension “.MEOW” and rendering them inaccessible to users. In addition to encrypting files, MEOW leaves behind a ransom note named “readme.txt,” a common tactic employed by ransomware to communicate with victims.

MEOW ransomware’s impact has extended to various sectors, with notable incidents, such as the cyber incident at Vanderbilt University Medical Center, bringing attention to the threat’s potency.

Everything we know about MEOW ransomware

Confirmed Name

• MEOW virus

MEOW ransomware decryptor

There is a decryption tool accessible for the MEOW ransomware that is derivative from NB65 ransomware, and built upon the leaked source code of Conti v21.

This decryption utility is known as RakhniDecryptor and has been released by Kaspersky. This tool is designed to operate on Windows operating systems and is capable of decrypting files that bear extensions such as

• .MEOW
• .CAT
• .KITTEN
• .FELINE.

Threat Type

• Ransomware
• Crypto virus
• Files locker
• Data leak

Encryption file extension

• .MEOW

Ransom note file name

• readme.txt

Detection names

• Avast Win32:Conti-B [Ransom]
• Emsisoft Gen:Variant.Mikey.147541 (B)
• Kaspersky HEUR:Trojan-Ransom.Win32.Generic
• Malwarebytes Generic.Malware/Suspicious
• Microsoft Ransom:Win32/Conti.IPA!MTB

Distribution methods

• Phishing emails
• Malicious Ads (Malvertising)
• Exploit kits
• Remote Desktop Protocol (RDP)

MEOW Ransomware methods of infection and execution

MEOW ransomware, stemming from the NB65 ransomware lineage, emerges as a formidable threat by encrypting files on victims’ computers and demanding a ransom for their liberation.

Employing a sophisticated hybrid encryption scheme, amalgamating ChaCha20 and RSA-4096 algorithms, MEOW strategically renders files inaccessible without the elusive corresponding private key.

Infection methods

• Phishing emails

Phishing emails are deceptive messages that disguise their true intent, camouflaging themselves as legitimate communications to evade scrutiny.

These emails trick users into opening an innocuous-looking attachment or clicking on embedded links containing malicious payload. A malicious payload is a file, a code, or a command that is executed on the target system or network.

• Exploit kits

Exploit kits are automated tools that cybercriminals use to exploit the vulnerabilities in your digital defenses.

Without your knowledge, the exploit kit quietly installs ransomware, taking advantage of the weak points in your software.

• Remote Desktop Protocol (RDP) 

Hackers either steal access credentials using password tricks or take advantage of weaknesses in the RDP system.

Once they successfully breach your digital defenses through RDP, a manual operation begins. The intruders, armed with unauthorized access, manually release the ransomware onto your system.

This starts the encryption process, and your compromised system falls under the control of the attacker.

• Malicious Ads (Malvertising)

Malvertising, a mix of “malicious” and “advertising,” is an online ad that seems innocent but hides threats. They can redirect unsuspecting users to harmful websites or secretly deliver malware.

As the user clicks on these ads, it triggers a malicious payload hidden in the ad that starts the download and installation of ransomware.

Do not pay the ransom! Contacting a ransomware recovery service can not only restore your files but also remove any potential threat.

MEOW ransomware Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

MEOW ransomware-specific IOCs

IOCs offer insights into potential signs of MEOW ransomware activity. However, it’s crucial to stay updated, as IOCs may change over time with ransomware evolution.

To assist in the detection and response to potential MEOW ransomware attacks, the following Indicators of Compromise (IOCs) have been identified:

File Extensions: .MEOW, .CAT, .KITTEN, or .FELINE.

Ransom Note: “readme.txt”

Registry Keys:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MEOW
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
  System\EnableLUA
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
  System\ConsentPromptBehaviorAdmin
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
  System\ConsentPromptBehaviorUser

Network Traffic:

• meowransomware[.]com
• meowransomware[.]net
• meowransomware[.]org
• 185.141.25[.]241
• 185.141.25[.]242
• 185.141.25[.]243
• 185.141.25[.]244

MEOW ransom note

The ransom note provides several contact methods, including email addresses and Telegram usernames.

Victims are instructed to reach out to these channels to initiate communication with the attackers for further instructions on the ransom payment and potential file decryption.

It’s important to note that engaging with cybercriminals and paying the ransom does not guarantee the retrieval of files, and security experts strongly discourage such actions.

How to handle a MEOW ransomware attack

The first step to recovering from a MEOW ransomware attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).

To report a malware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then it’s best to leave every infected machine the way it is and ask for an emergency ransomware removal service. These professionals are equipped to quickly mitigate the damage, gather evidence, potentially reverse the encryption, and restore the system.

Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics experts to trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the malware and recover the files with your IT team, you can follow the next steps.

2. Use a backup to restore the data

The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.

Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.

Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.

3. Contact a malware recovery service

If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way to restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent MEOW ransomware from attacking your network again, contact our recovery experts 24/7.

Prevent the MEOW ransomware attack

Preventing malware is the best solution for data security. is easier and cheaper than recovering from them. MEOW ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid malware attacks:

• Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
• Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
• Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
• Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
• Use a firewall to block unauthorized access to your network and systems.
• Network segmentation to divide a larger network into smaller sub-networks with limited interconnectivity between them. It restricts attacker lateral movement and prevents unauthorized users from accessing the organization’s intellectual property and data.
• Limit user privileges to prevent attackers from gaining access to sensitive data and systems.
• Educate employees and staff on how to recognize and avoid phishing emails and other social engineering attacks.