{"id":81528,"date":"2017-10-24T15:31:49","date_gmt":"2017-10-24T22:31:49","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=81528"},"modified":"2025-05-27T22:49:10","modified_gmt":"2025-05-28T05:49:10","slug":"badrabbit-ransomware-burrows-russia-ukraine","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/","title":{"rendered":"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine"},"content":{"rendered":"<p><em>This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani.<\/em><\/p>\n<p>McAfee is currently investigating a ransomware campaign known as BadRabbit, which initially infected targets in Russia and the Ukraine. We are also investigating reports of infected systems in Germany, Turkey, and Bulgaria and will provide updates as more information becomes available. For McAfee product coverage, please see <a href=\"https:\/\/securingtomorrow.mcafee.com\/business\/how-mcafee-products-can-protect-against-badrabbit-ransomware\/\" target=\"_blank\" rel=\"noopener\">\u201cHow McAfee Products Can Protect Against BadRabbit Ransomware.\u201d<\/a><\/p>\n<p>When victims visit the following site, a dropper is downloaded:<\/p>\n<p style=\"padding-left: 30px;\">hxxp:\/\/1dnscontrol[dot]com\/flash_install.php<\/p>\n<p>After infection, the victim sees the following screen:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-81530 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg\" alt=\"\" width=\"720\" height=\"398\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg 720w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1-300x166.jpg 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/a><\/p>\n<p>The ransomware is currently charging 0.05 Bitcoin; however, there is no confirmation that paying the ransom will result in a decryption key being provided.<\/p>\n<p>A decryption site at the following .onion (Tor) domain displays the time that victims have left before the price goes up:<\/p>\n<p style=\"padding-left: 30px;\">caforssztxqzf2nm[dot]onion<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-81531 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-2.png\" alt=\"\" width=\"1430\" height=\"969\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-2.png 1430w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-2-300x203.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-2-768x520.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-2-1024x694.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-2-738x500.png 738w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/a><\/p>\n<p>Files with the following extensions are encrypted:<\/p>\n<p style=\"padding-left: 30px;\">.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf .der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key .mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx .php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff .vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.<\/p>\n<p>The malware starts a command-line with following values:<\/p>\n<p style=\"padding-left: 30px;\">Cmd \/c schtasks \/Create \/RU SYSTEM \/SC ONSTART \/TN rhaegal \/TR &#8220;C:\\Windows\\system32\\cmd.exe \/C Start \\&#8221;\\&#8221; \\&#8221;C:\\Windows\\dispci.exe\\&#8221; -id 1082924949 &amp;&amp; exit&#8221;<\/p>\n<p>\u201c\/TN rheagal\u201d refers to a system account with the name rhaegal used to create the scheduled task and start the ransomware file dispci.exe. Rhaegal is likely a reference to a dragon from the popular TV show \u201cGame of Thrones.\u201d In fact, three dragon names\u2014Rhaegal, Viserion, and Drogon\u2014are used in relation to the following scheduled tasks:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-3.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-81532 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-3.jpg\" alt=\"\" width=\"547\" height=\"332\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-3.jpg 547w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-3-300x182.jpg 300w\" sizes=\"auto, (max-width: 547px) 100vw, 547px\" \/><\/a><\/p>\n<p>The malware then uses the following commands to clear security logs and delete the update sequence number (USN) change journal, which is used to recover files, for example:<\/p>\n<p style=\"padding-left: 30px;\">Cmd \/c wevtutil cl Setup &amp; wevtutil cl System &amp; wevtutil cl Security &amp; wevtutil cl Application &amp; fsutil usn deletejournal \/D C:<\/p>\n<p>The USN change journal provides a persistent log of all changes made to files on the volume, according to the Microsoft Developer Network. As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the USN change journal, one for each volume on the computer. Each record indicates the type of change and the object changed. New records are appended to the end of the stream.<\/p>\n<p>We also found a DNS query to ACA807(x)ipt.aol[dot]com, in which the \u201c##\u201d is a two-digit hex number from 00-FF ACA807##.ipt.aol[dot]com.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-4.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-81534 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-4.jpg\" alt=\"\" width=\"1429\" height=\"250\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-4.jpg 1429w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-4-300x52.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-4-768x134.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-4-1024x179.jpg 1024w\" sizes=\"auto, (max-width: 1429px) 100vw, 1429px\" \/><\/a><\/p>\n<p>We created a graph of the events occurring during an infection by one of the BadRabbit samples. The initial binary loads itself into memory and kills the initial process. Further processes drop configuration, services files, and other artifacts used in the attacks. The graph ends with the creation of the preceding scheduled tasks.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-5.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-81535 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-5.jpg\" alt=\"\" width=\"2614\" height=\"871\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-5.jpg 2614w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-5-300x100.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-5-768x256.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-5-1024x341.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-5-1501x500.jpg 1501w\" sizes=\"auto, (max-width: 2614px) 100vw, 2614px\" \/><\/a><\/p>\n<h2><strong>Embedded Credentials<\/strong><\/h2>\n<p>One of the samples (579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648) seems to contain a list of default credentials with an attempt to brute-force credentials and get the scheduled tasks to execute the ransomware:<\/p>\n<ul>\n<li>secret<\/li>\n<li>123321<\/li>\n<li>zxc321<\/li>\n<li>zxc123<\/li>\n<li>qwerty123<\/li>\n<li>qwerty<\/li>\n<li>qwe321<\/li>\n<li>qwe123<\/li>\n<li>111111<\/li>\n<li>password<\/li>\n<li>test123<\/li>\n<li>admin123Test123<\/li>\n<li>Admin123<\/li>\n<li>user123<\/li>\n<li>User123<\/li>\n<li>guest123<\/li>\n<li>Guest123<\/li>\n<li>administrator123<\/li>\n<li>Administrator123<\/li>\n<li>1234567890<\/li>\n<li>123456789<\/li>\n<li>12345678<\/li>\n<li>1234567<\/li>\n<li>123456<\/li>\n<li>adminTest<\/li>\n<li>administrator<\/li>\n<li>netguest<\/li>\n<li>superuser<\/li>\n<li>nasadmin<\/li>\n<li>nasuser<\/li>\n<li>ftpadmin<\/li>\n<li>ftpuser<\/li>\n<li>backup<\/li>\n<li>operator<\/li>\n<li>other user<\/li>\n<li>support<\/li>\n<li>manager<\/li>\n<li>rdpadmin<\/li>\n<li>rdpuser<\/li>\n<li>user-1<\/li>\n<li>Administrator<\/li>\n<\/ul>\n<h2><strong>Game of Thrones Fans?<\/strong><\/h2>\n<p>It is common for attackers to use pop-culture references in their attacks. These attackers seem to have an interest in \u201cGame of Thrones,\u201d with at least three references to the series. Viserion, Rhaegal, and Drogon are names of scheduled tasks. GrayWorm, the name of a \u201cGame of Thrones\u201d commander, is the product name in the binary\u2019s EXIF data.<\/p>\n<p><strong>Detection<\/strong><\/p>\n<p>There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable. <strong>McAfee detects all three:<\/strong><\/p>\n<ul>\n<li>630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da<\/li>\n<li>8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93<\/li>\n<li>579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani. McAfee&#8230;<\/p>\n","protected":false},"author":460,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[76,338,4549],"coauthors":[1359,3576],"class_list":["post-81528","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybercrime","tag-endpoint-protection","tag-ransomware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani. McAfee is currently\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani. McAfee is currently\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-10-24T22:31:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T05:49:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"720\" \/>\n\t<meta property=\"og:image:height\" content=\"398\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Raj Samani, Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@raj_samani\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Raj Samani, Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/\"},\"author\":{\"name\":\"Raj Samani\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc\"},\"headline\":\"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine\",\"datePublished\":\"2017-10-24T22:31:49+00:00\",\"dateModified\":\"2025-05-28T05:49:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/\"},\"wordCount\":779,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg\",\"keywords\":[\"cybercrime\",\"endpoint protection\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/\",\"name\":\"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg\",\"datePublished\":\"2017-10-24T22:31:49+00:00\",\"dateModified\":\"2025-05-28T05:49:10+00:00\",\"description\":\"This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani. McAfee is currently\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc\",\"name\":\"Raj Samani\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/84322977b2e4d74026259dbee600b443\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png\",\"caption\":\"Raj Samani\"},\"description\":\"Raj Samani is Chief Scientist and Fellow for the Enterprise business. He has assisted multiple law enforcement agencies in cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of Fame, Peter Szor award, and Intel Achievement Award, among others. He is the co-author of the book \\\"Applied Cyber Security and the Smart Grid\\\" and the \\\"CSA Guide to Cloud Computing,\\\" as well as technical editor for numerous other publications.\",\"sameAs\":[\"http:\/\/www.mcafee.com\/\",\"https:\/\/www.linkedin.com\/in\/raj-samani-3697b9\/\",\"https:\/\/x.com\/raj_samani\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/raj-samani\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine | McAfee Blog","description":"This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani. McAfee is currently","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine | McAfee Blog","og_description":"This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani. McAfee is currently","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-10-24T22:31:49+00:00","article_modified_time":"2025-05-28T05:49:10+00:00","og_image":[{"width":720,"height":398,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg","type":"image\/jpeg"}],"author":"Raj Samani, Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@raj_samani","twitter_site":"@McAfee","twitter_misc":{"Written by":"Raj Samani, Christiaan Beek","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/"},"author":{"name":"Raj Samani","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc"},"headline":"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine","datePublished":"2017-10-24T22:31:49+00:00","dateModified":"2025-05-28T05:49:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/"},"wordCount":779,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg","keywords":["cybercrime","endpoint protection","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/","name":"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg","datePublished":"2017-10-24T22:31:49+00:00","dateModified":"2025-05-28T05:49:10+00:00","description":"This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and\u00a0Raj Samani. McAfee is currently","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20171024-BadRabbit-1.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/badrabbit-ransomware-burrows-russia-ukraine\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"\u2018BadRabbit\u2019 Ransomware Burrows Into Russia, Ukraine"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/c599d4c6fbfe639ab3c623dbab743efc","name":"Raj Samani","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/84322977b2e4d74026259dbee600b443","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/Picture1-1-96x96.png","caption":"Raj Samani"},"description":"Raj Samani is Chief Scientist and Fellow for the Enterprise business. He has assisted multiple law enforcement agencies in cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of Fame, Peter Szor award, and Intel Achievement Award, among others. He is the co-author of the book \"Applied Cyber Security and the Smart Grid\" and the \"CSA Guide to Cloud Computing,\" as well as technical editor for numerous other publications.","sameAs":["http:\/\/www.mcafee.com\/","https:\/\/www.linkedin.com\/in\/raj-samani-3697b9\/","https:\/\/x.com\/raj_samani"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/raj-samani\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/81528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/460"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=81528"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/81528\/revisions"}],"predecessor-version":[{"id":214568,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/81528\/revisions\/214568"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=81528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=81528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=81528"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=81528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}