Free Phobos & 8base Ransomware Decryptor Recovers Files
▼ Summary
– Japanese police released a free decryptor for Phobos and 8Base ransomware, confirmed by BleepingComputer to successfully recover encrypted files.
– Phobos is a ransomware-as-a-service operation active since 2018, with affiliates splitting ransom payments; 8Base later emerged as a modified version using double extortion.
– In 2024, a suspected Phobos administrator was extradited to the U.S., and law enforcement disrupted the operation by seizing servers and arresting four 8Base affiliates.
– The decryptor, available via Japanese police and Europol, supports multiple file extensions but may trigger false malware warnings in browsers.
– Users can test the decryptor on encrypted files even without listed extensions, as it recursively decrypts files while preserving folder structure.
Victims of Phobos and 8Base ransomware now have a powerful new tool to reclaim their files without paying cybercriminals. Japanese authorities recently released a free decryptor capable of reversing the damage caused by these notorious ransomware strains. Independent testing confirms the tool works effectively, offering hope to businesses and individuals impacted by these attacks.
Phobos ransomware emerged in late 2018 as a ransomware-as-a-service (RaaS) operation, allowing affiliates to deploy its encryption tools in exchange for a cut of ransom payments. Though less publicized than some competitors, Phobos became one of the most widespread threats, targeting organizations globally. In 2023, a spin-off group called 8Base adopted a modified version of Phobos, adding double extortion tactics, stealing data before encryption to pressure victims into paying.
Law enforcement agencies worldwide have been actively dismantling these operations. Earlier this year, a coordinated international effort disrupted Phobos by seizing 27 servers and arresting key suspects, including four individuals linked to 8Base. A Russian national allegedly involved in managing Phobos was also extradited to the U.S. to face charges.
The newly released decryptor, available through Japan’s National Police Agency and Europol’s NoMoreRansom initiative, supports files encrypted with extensions like .phobos, .8base, .elbie, .faust, and .LIZARD. However, authorities suggest testing it even if files have different extensions, as broader compatibility may exist.
Some users might encounter warnings from browsers like Chrome or Firefox, falsely flagging the decryptor as malware. Independent verification by cybersecurity experts confirms the tool is safe and functional. In tests, it successfully restored all files encrypted by a recent LIZARD variant of Phobos ransomware.
To use the decryptor:
- Download and launch the tool, accepting the license agreement.
- If prompted, allow the software to enable long file name support in Windows.
- Select the folder containing encrypted files and choose an output directory.
- Click Decrypt—the tool will process files recursively, preserving the original folder structure.
The decryptor displays the number of successfully recovered files upon completion. For victims still struggling with locked data, this tool represents a legitimate, no-cost solution backed by law enforcement. Given the unpredictable nature of ransomware, testing the decryptor, even with unsupported extensions, could yield positive results.
With cybercriminals constantly evolving their tactics, tools like this provide a critical lifeline. Organizations should still prioritize proactive security measures, but for those already affected, the decryptor offers a rare opportunity to undo the damage without further enriching criminal networks.
(Source: BLEEPING COMPUTER)
