San Francisco Ballet hacked data posted for sale by two ransomware gangs


The iconic San Francisco Ballet Company has been reportedly breached by not one, but two ransomware groups – Meow and INC Ransom – and now it appears the personal information of company staff and dancers is being sold on the dark web.

The California ballet company was first claimed by the Meow ransomware group sometime over the past few weeks, although the gang’s leak site did not provide a date on its victim post.

The INC Ransom group posted its cache of sample files allegedly stolen from the ballet company on October 30th, but it appears Meow was the first group to breach the organization.

ADVERTISEMENT

“We are excited to offer exclusive access to over 40 GB of confidential data from the San Francisco Ballet, the oldest professional ballet company in the United States, established in 1933,” Meow wrote in a post on its dark victim blog.

San Francisco Ballet Company Meow
Meow leak site. image by Cybernews.

The San Francisco Ballet Company is home to more than 70 dancers and roughly 50 staff members, while the SF Ballet School trains more than 700 young dancers each year, according to its website.

Its administrative offices, rehearsal space, and ballet school are based out of the Chris Hellman Center for Dance in downtown San Francisco with company performances taking place at the city’s War Memorial Opera House.

Meow claims to possess a “comprehensive data pack” providing “detailed insights” into the non-profit’s operations, including:

  • Employee data personal details, passports, drivers licenses.
  • Client information ticket purchases, contact details.
  • Contracts and commercial agreements.
  • Financial documents bank statements, invoices, transaction records, balance sheets, tax forms.
  • Payroll and work-related data.
  • Legal and insurance documents.
  • Medical records insurance cards, medical service forms.

The post includes a “Buy” button linking to its Telegram address for those interested in purchasing the stolen data. The data has been priced at $200,000 for one buyer, or $100,000 for multiple buyers.

Cybernews was able to examine the 30 samples Meow provided, which consists of copies of US passports, California driver’s licenses, insurance cards, signed W-4 tax forms, US Department of Homeland Security Employee Verification Forms, medical records, credit card account statements, credit applications, and other invoices, some dating back to 2017.

ADVERTISEMENT
San Francisco Ballet Company Meow samples
Meow leak site. image by Cybernews.
Ernestas Naprys Gintaras Radauskas jurgita Konstancija Gasaityte profile
-Don’t miss our latest stories on Google News

Meanwhile, the INC Ransom group has its own collection of samples offered for sale on the group’s dark leak blog, which in contrast appears to contain sensitive information about the SF Ballet School's student population.

The gang provides 12 sample files, also viewed by Cybernews, including various US and international passports, student visas, class rosters, detailed 2024 expenditure records, and legal documents.

It’s not clear if INC Ransom purchased any of the sensitive files from Meow or if the group was able to piggyback its own attack after Meow’s claimed breach.

San Francisco Ballet Company INC
INC Ransom leak site. Image by Cybernews.

The SF Ballet Company has not made any public comments referencing the claims nor acknowledged any cyber incident involving its network servers.

Cybernews reached out to the dance company, but did not hear back at the time of publishing this report.

Who are Meow and INC Ransom?

Security researchers first observed Meow ransomware in August 2022, but the group appeared to have dropped off the radar in February 2023, re-emerging in September that same year. Also known as MeowCorp or MeowCorp2022, the threat actors often refer to themselves as an anti-Russian extortion group.

ADVERTISEMENT

The group’s signature variant is said to have derived from the NB65 ransomware, which is an altered version of the Russian-affiliated Conti v2 variant., according to a Meow profile by the cybersecurity technology firm WatchGuard.

The Conti v2 variant was apparently leaked by a Ukrainian hacker as payback for the group’s public support for Russia after the Spring 2022 invasion of Ukraine.

As of December 2023, the group only had listed about 10 victims on its dark leak site, including the world-renowned Memorial Sloan Kettering Cancer Center in New York City. The Meow group’s average ransom demand is said to be between $20,000 and $40,000 per victim.

According to Cybernews' Ransomlooker monitoring tool, by September of this year, the group had increased its victim count to at least 90 casualties, and more recently added the Superior Court of California in Sonoma County in October.

Ransomlooker graph - Meow and INC Ransom
Ransomlooker graph of Meow and INC ransom group activity over the past 12 months. Image by Cybernews.

INC Ransom is another ransomware group first noted by security researchers in July 2023. The group is known to target corporate organizations primarily in the US, UK, and Australia, including in the healthcare, education, and government sectors.

According to Ransomlooker by Cybernews, INC Ransom has victimized at least 135 organizations over the last 12 months, including the San Francisco Sheriff's Department, the City of Leicester in England, the NHS Dumfries and Galloway Health Board of Scotland, and the Xerox Corporation at the end of 2023.

The gang, often using spear phishing attacks to compromise its victims, is considered a multi-extortion operation – which means it not only encrypts and steals its target’s data but then threatens to publish it online if the victim doesn’t pay up.

ADVERTISEMENT