Japanese police have publicly released a free decryptor for the Phobos and 8Base ransomware families, making it available on their official website and Europol’s NoMoreRansom site. This significant development allows victims to recover their encrypted files, which often bear extensions like .phobos, .8base, .elbie, .faust, and .LIZARD, without succumbing to ransom demands. The decryptor’s creation is likely a direct result of intelligence gathered from recent international law enforcement operations that have successfully targeted and disrupted these ransomware groups. While some browsers may initially flag the software as malware, tests have confirmed its safety and effectiveness. Europol and the FBI are actively promoting this tool as a legitimate recovery solution, though users are advised to first remove the underlying malware with an antivirus to prevent re-encryption.
The Phobos ransomware, which operates as a Ransomware-as-a-Service (RaaS) model, has been active since May 2019. Government experts have linked various Phobos ransomware variants due to consistent Tactics, Techniques, and Procedures (TTPs). Initial access for Phobos attacks often involves phishing campaigns, IP scanning for vulnerable Remote Desktop Protocol (RDP) ports, or leveraging RDP in Microsoft Windows environments. Phobos intrusions frequently utilize widely available open-source tools such as Smokeloader, Cobalt Strike, and Bloodhound, contributing to its popularity among diverse threat actors. U.S. agencies like CISA, the FBI, and MS-ISAC issued a joint advisory in March 2024, warning about attacks involving Phobos variants like Backmydata, Devos, Eight, Elking, and Faust.
The 8Base ransomware operation, which emerged in March 2022 and saw a massive spike in activity in mid-2023, is closely linked to Phobos. In November 2023, Cisco Talos researchers observed 8Base operators deploying a variant of Phobos ransomware in their attacks. 8Base has evolved from Phobos affiliates, using a modified encryptor and employing double extortion tactics – not only encrypting data but also stealing it to coerce victims into paying. While Phobos variants are typically distributed by SmokeLoader, 8Base campaigns embed the ransomware component directly within its encrypted payloads, which are then decrypted and loaded into SmokeLoader’s memory.
This group has primarily targeted small and medium-sized businesses across various industries, including finance, manufacturing, business services, and IT.
Recent international law enforcement efforts have significantly impacted both Phobos and 8Base operations. In November 2024, Russian Phobos ransomware administrator Evgenii Ptitsyn was extradited from South Korea to the U.S. to face cybercrime charges. Ptitsyn is alleged to have played a key role in the RaaS model, selling the ransomware on darknet forums and receiving payments from affiliates who would then extort victims.
The Department of Justice alleges that the Phobos operation targeted over 1,000 public and private entities globally, extorting more than $16 million.
Further charges were unsealed in February 2025 against Russian nationals Roman Berezhnoy and Egor Glebov, also for operating a Phobos ransomware group. They are accused of targeting over 1,000 entities worldwide and extorting more than $16 million. These arrests were part of a coordinated international operation that also successfully dismantled the group’s infrastructure and led to additional arrests, demonstrating a global commitment to combating these pervasive ransomware threats and providing relief to victims.
Reference:
