In a significant blow to ransomware operations, Japanese police have released a free decryption tool that enables victims of Phobos and 8Base ransomware attacks to recover their files without paying criminals. This development follows coordinated international law enforcement actions earlier this year that disrupted the groups’ infrastructure and led to multiple arrests.

The Ransomware Menace

Phobos, operating since 2018 as a ransomware-as-a-service (RaaS) platform, enabled affiliates to launch widespread attacks globally. Despite less media coverage than notorious groups like LockBit, it became one of the most pervasive threats to enterprises. In 2023, a splinter group dubbed 8Base emerged, enhancing Phobos’ encryptor with double-extortion tactics—encrypting data while threatening to leak stolen files.

"Phobos affiliates hit countless businesses worldwide, making this decryptor a critical lifeline," notes cybersecurity analyst Lawrence Abrams. The 2024 extradition of a suspected Phobos administrator from South Korea to the U.S. and the subsequent seizure of 27 servers signaled escalating pressure on these operations.

How the Decryptor Works

Available via Japan’s National Police Agency and Europol’s NoMoreRansom platform, the tool supports files encrypted with extensions like .phobos, .8base, .elbie, .faust, and .LIZARD. BleepingComputer verified its effectiveness against recent variants:

  1. Download & Setup: Despite false malware warnings in browsers (Chrome/Firefox), the tool is safe. Users must enable long filename support in Windows if prompted.
  2. Recovery Process: Select encrypted folders and an output directory. The decryptor recursively processes files, preserving folder structures.
  3. Verification: In tests, it successfully restored all 150 files encrypted by a .LIZARD variant.

Why This Matters

This decryptor exemplifies how global law enforcement collaboration can turn operational disruptions into tangible relief for victims. For enterprises, it underscores the importance of:
- Regularly backing up critical data
- Monitoring for ransomware indicators
- Checking NoMoreRansom for recovery tools before considering payments

Victims with other extensions should still test the tool—its coverage may expand. As ransomware tactics evolve, such decryption breakthroughs offer rare but powerful counterstrikes in the cybersecurity arms race.

Source: BleepingComputer