crabs - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: Files encrypted by the Crabs ransomware are appended with the extension .<8-random-hex-characters>.crabs (example: accounts.xlsx.a1c4e7f9.crabs).
Renaming Convention: The malware keeps the original filename and original extension (without the leading dot), appends a random 8-character hex string, then the final “.crabs”.
Example transformation: Project-Q4.docx → Project-Q4.docx.bf33aa12.crabs

Approximate Start Date/Period: Crabs was first publicly reported mid-January 2021 in telemetry from Europe. Peak infection waves occurred March–May 2021 in medium-size manufacturing, legal-services and consulting firms.

Propagation Mechanisms:
• Exploited un-patched MikroTik routers (Winbox service on TCP/8291) to expose internal RDP.
• Phishing e-mails carrying malicious ISO or IMG attachments that launch PowerShell loaders.
• RDP brute-force and credential-stuffing after initial foothold to laterally spread.
• Exploit of CVE-2019-0708 “BlueKeep” on still-vulnerable Windows 7/Server 2008 systems found inside target networks.

Proactive Measures:
– Patch MikroTik RouterOS to ≥ 6.45.9, disable Winbox from WAN face.
– Disable or restrict RDP (TCP/3389) to VPN-only and enforce NLA + 2FA.
– Use reputable mail-gateway filtering against .iso/.img attachments.
– Deploy applocker / WDAC to block PowerShell execution outside signed scripts.
– Maintain routine, offline (immutable) backups; test restore monthly.

Isolate the host(s)—pull network cable or disable Wi-Fi.
Create a forensic image/backup before removal if prosecution is intended.
Boot into Windows Safe Mode w/ Networking or boot from clean USB (WinPE/Kaspersky Rescue).
Scan and delete malicious files:
• %TEMP%\*.ps1 (PowerShell loader)
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\runningStatus.exe (decryptor dropper)
• Scheduled task MicrosoftUpdateCore (triggers loader every 15 min).
Use Microsoft Defender Offline / ESET Online Scanner / Malwarebytes to remove residual artifacts.
Clear Shadow Copies (vssadmin delete shadows /all) if still intact and verify registry “Run” keys.

Recovery Feasibility:
As of today no free universal decryptor exists. Files require the attacker’s RSA-1024 private key, which was generated uniquely per victim and uploaded to C2.
Tools / Patches:
– Trigger file identifier tool (intel of CERT-RO): runs sigcheck ‑m on every *.crabs to extract the victim-specific RSA key ID in the header—useful to check if any matching decryptor dataset becomes available in future.
– CyberChef + YARA: Locate first 256-byte header block (magic CRAB + key ID) to automate key-ID extraction.
– Windows KB4499175 / KB4499180 for BlueKeep mitigation; RouterOS packages available at MikroTik Downloads.
– Recommended backup/test platforms: Veeam v11 (immutability), Commvault Metallic, or Azure blob with 30-day soft-delete.

Additional Precautions:
– Crabs deletes Volume Shadow Copies before encryption via vssadmin.exe delete shadows /all /quiet.
– It terminates SQL Server, MySQL, SQLWriter, and Exchange-related services to unlock their databases.
– It drops __readme.txt ransom notes to every folder and changes the desktop wallpaper with a permanent PNG embedded in the decryptor binary; wallpaper removal requires manual registry or GPO reset.
Broader Impact:
While not as widespread as Conti or Ryuk, Crabs caused one law-firm downtime of +14 days in April 2021 because offline backups had been encrypted via mapped drives. The attack pattern (router compromise → RDP pivot) highlights the risk of exposing management services on the public Internet.

Mitigating the router exposure and hardening privileged accounts (LocalAdmin, DomainAdmin) are the single most effective counter-tactics against future Crabs waves.