Japanese police released a free decryptor for Phobos and 8Base ransomware, letting victims recover files without paying ransom.
Japanese authorities released a free decryptor for Phobos and 8Base ransomware, allowing victims to recover files without paying.
Japanese police released the free decryptor for ransomware families, which was likely built using intel from a recent gang takedown. The software can be downloaded from the police website and Europol’s NoMoreRansom site.
The tool works on files with extensions like .phobos, .8base, .elbie, .faust, and .LIZARD, and may support others. Despite false malware flags from some browsers, tests confirm it works and is safe. Europol and the FBI are promoting it as an official recovery solution.
NoMoreRansom warns users to remove the malware first with a reliable antivirus before using the decryptor, or files may be re-encrypted repeatedly.
Phobos operation uses a ransomware-as-a-service (RaaS) model, it has been active since May 2019. Based on information from open sources, government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound. These tools are widely available and user-friendly across different operating environments, contributing to the popularity of Phobos and its associated variants among various threat actors.
Threat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns. They dropped hidden payloads or used internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments. In March 2024, US CISA, the FBI, and MS-ISAC issued a joint cybersecurity advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.
In November 2023, Cisco Talos researchers observed 8Base ransomware operators using a variant of the Phobos ransomware in recent attacks. In 2023, 8Base emerged from Phobos affiliates, using a modified encryptor and double extortion—encrypting and stealing data to force ransom payments.
Phobos variants are usually distributed by the SmokeLoader, but in 8Base campaigns, it has the ransomware component embedded in its encrypted payloads. The ransomware component is then decrypted and loaded into the SmokeLoader process’ memory.
In June, VMware Carbon Black researchers observed an intensification of the activity associated with a stealthy ransomware group named 8Base. The experts observed a massive spike in activity associated with this threat actor between May and June 2023.
The group has been active since March 2022, it focused on small and medium-sized businesses in multiple industries, including finance, manufacturing, business services, and IT.
In November 2024, Russian Phobos ransomware operator Evgenii Ptitsyn, suspected of playing a key role in the ransomware operations, was extradited from South Korea to the US to face cybercrime charges.
According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom paymen.
The Russian national was allegedly involved in the development, sale, distribution, and operations of the ransomware.
Evgenii Ptitsyn and others allegedly ran an international hacking scheme since November 2020, deploying Phobos ransomware to extort victims. Ptitsyn reportedly sold the ransomware on darknet forums under aliases like “derxan” and “zimmermanx,” enabling other criminals to encrypt data and demand ransom.
Ptitsyn and his conspirators used a ransomware-as-a-service (RaaS) model to distribute their malware to a network of affiliates. Affiliates paid fees to administrators like Ptitsyn for decryption keys, with payments routed via unique cryptocurrency wallets from 2021–2024.
In February 2025, the U.S. Justice Department unsealed charges against Russian nationals Roman Berezhnoy and Egor Glebov for operating a Phobos ransomware group. They allegedly targeted over 1,000 public and private entities worldwide, extorting more than $16 million in ransom. Both were arrested in a coordinated international operation that also dismantled the group’s infrastructure and led to further arrests.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, 8base ransomware)
