Meow’s Meteoric Rise: Conti Offshoot Claims Second Spot in Cybercrime
The Meow group has ascended to the second spot in cybercriminal activity, significantly increasing its attacks following a rebranding. Meow emerged in March this year as one of four groups formed after the disbandment of Conti. However, it long remained overshadowed by more prominent groups like LockBit and RansomHub.
According to Check Point’s August report, Meow accounted for 9% of all global ransomware attacks, second only to RansomHub, which has confidently taken LockBit’s place. Meow employs a new tactic, shifting focus from encrypting victims’ files to data theft, reminiscent of the strategy employed by the notorious Cl0p group.
Initially, Meow operated as a Ransomware-as-a-Service (RaaS), providing tools for conducting attacks. Now, the group has pivoted to pure extortion, selling stolen data. Meow offers two payment options for access to the stolen information. The first option is a lower price for non-exclusive access, allowing others to purchase the same data. The second, much higher-priced option, promises exclusive access, with the data allegedly removed from leak sites and no longer available for sale. However, there are no guarantees that the information will indeed be deleted or withheld from others, and the criminals may renege on their promises.
The cost of “non-exclusive” access ranges from $4,000 to $10,000, though some data is priced as low as $150 or as high as $40,000. Selling data rather than leaking it is usually considered a last resort for extortionists, but in the case of Meow, it has become their primary strategy.
Check Point experts note that while the group’s new tactic may be an attempt to stand out among competitors and increase pressure on victims, its profitability remains questionable. Many instances of data sales fail to generate the expected revenue, as the information often lacks appeal to other cybercriminals.
Meanwhile, RansomHub continues to lead in the number of attacks in August, accounting for 15% of all ransomware incidents. This group, which replaced LockBit and ALPHV/BlackCat, employs advanced encryption methods and targets Windows, macOS, Linux, and VMware ESXi systems. RansomHub solidified its leadership by recruiting former affiliates from the disbanded groups.
Despite active law enforcement efforts, LockBit remains operational, though it has lost much of its strength. In August, 8% of attacks were still linked to its LockBit 3 ransomware, which has long been available to other criminals following the leak of its source code.
Experts warn that the cybercrime landscape remains volatile, and organizations must remain vigilant to defend against the growing threat of ransomware.
