A batch of sample files reportedly stolen from California’s Superior Court in Sonoma County, some dating back to 2013, have been posted for sale on the Meow ransomware group’s leak site on Tuesday.
The group claims to have stolen about 5GB of sensitive records from the court’s network systems, including a plethora of legal documents “providing valuable insights” into the inner workings of the courthouse.
“Dear customers! We are excited to offer you exclusive access to over 5 GB of confidential data from The Superior Court of California, County of Sonoma, a judicial body responsible for administering justice in civil, criminal, family, probate, and juvenile law cases within the Sonoma County jurisdiction,” the group wrote on its dark leak site.
“These records may be of significant interest to legal professionals, regulatory bodies, and other stakeholders,” it said.
California’s Sonoma County Superior Court is one of 58 superior courts in the state (one for each county), serving a population of just under half a million residents. Superior courts are the state’s highest-level trial court.
According to the Russian-linked gang, the comprehensive data pack of 29 file samples contains employee data, client information, scanned payment documents, personal data (including dates of birth and Social Security numbers), agreements and certificates, addresses and banking information, as well as criminal records.
The group is offering the 5GB pack to one buyer for $20,000 but wrote it is willing to sell the stolen cache to more than one buyer for $10,000 each.
The confidential file samples, seen firsthand by Cybernews, showed a variety of court and criminal documents, including marriage certificates, court depositions, DWI records, conviction lists by name, bail bond collection reports showing the persons and the amounts paid, signed search warrants, pre-trial assessments, jail release requests, legal case filings, and even one form filled out for the annual welfare check of a sexually violent predator, also named.
Cybernews noted that some of the documents dated back to November 2013, while others were dated as late as September 20th, 2024.
Other documents appeared to be third-party vendor invoices, copies of cashed checks containing bank account information, employee payroll details, and employee health insurance enrollment forms.
Who is Meow?
Meow ransomware was first observed by security researchers in August 2022, but the group appeared to have dropped off the radar in February 2023, re-emerging in September that same year.
Also known as MeowCorp or MeowCorp2022, the threat actors often refer to themselves as an anti-Russian extortion group.
As of December 2023, the group only had listed about 10 victims on its dark leak site, including the world-renowned Memorial Sloan Kettering Cancer Center in New York City.
According to Cybernews' Ransomlooker monitoring tool, by September of this year, the group had increased its victim count to at least 90 casualties, ramping up its attacks and claiming 38 victims in August alone, averaging between $20,000 and $40,000 ask per victim.
It is said to have derived the NB65 ransomware, which is an altered version of the Russian-affiliated Conti v2 variant., according to a Meow profile by the cybersecurity technology firm WatchGuard,
The Conti v2 variant was apparently leaked by a Ukrainian hacker as payback for the group’s public support for Russia after the Spring 2022 invasion of Ukraine.
The ransomware itself is known to use the file extension ".MEOW," while its ransom notes – which contain four email addresses and two Telegram handles for victims to contact the gang – are titled “readme.txt.”
"MEOW! MEOW! MEOW! Your files have been encrypted! Need decrypt? Write to e-mail:...," the note states, followed by the gang's contact information.
Meow ransomware also shares similar characteristics to the Conti v2 ransomware in that it uses a combination of ChaCha20 and RSA-4096 to encrypt its victim files, WatchGuard said. Other ransomware strains created from the leaked Conti variant include Putin Team, ScareCrow, and BlueSky.
Your email address will not be published. Required fields are markedmarked