Victims of the Phobos and 8Base ransomware operations can now recover their encrypted files for free, thanks to a new decryptor tool released by Japanese police.
The tool is available for download on the Japanese police website and also through Europol’s NoMoreRansom platform.
Phobos ransomware has been active since December 2018 and operates as a ransomware-as-a-service (RaaS) model, enabling affiliates to launch attacks in exchange for a cut of the ransom. In 2023, a group of affiliates began operating under the 8Base name, using a modified Phobos encryptor and employing double extortion tactics — encrypting files and stealing data for ransom.
Following a major international law enforcement operation, authorities disrupted the Phobos gang in 2024, seizing 27 servers and arresting several individuals, including four Russian nationals linked to 8Base. This operation is believed to have led to the creation of the decryptor.
The tool currently supports file extensions like .phobos, .8base, .elbie, .faust, and .LIZARD, but may work on other variants as well.
BleepingComputer tested the decryptor on a machine infected with the .LIZARD variant and confirmed that it successfully decrypted all 150 encrypted files.
Note: Some web browsers such as Chrome and Firefox may mistakenly flag the decryptor as malware. However, it has been tested and verified as safe.
Victims can run the decryptor by selecting the path to encrypted files and a destination folder. The tool will automatically recreate folder structures and decrypt files recursively.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
This release is a significant win for victims, law enforcement, and cybersecurity communities, showing that global cooperation can disrupt ransomware ecosystems and help victims recover without paying a ransom.
