The Japanese police have surprised everyone with some excellent news: they have just released a free decryptor for the Phobos ransomware and its 8-Base variant, allowing victims to recover their files without paying a penny. Best of all, there are already reports of users who have successfully restored their data.
History and demise of Phobos ransomware and its 8Base variant
For those unfamiliar with it, Phobos ransomware is one of those silent but dangerous threats. It emerged in 2018 as a ransomware-as-a-service model, where developers provided the tool and other criminals (affiliates) used it to launch attacks. When a victim paid the ransom, the money was split between the two.
Although it has not had as much visibility as other ransomware groups, Phobos has been very present, executing thousands of attacks on companies around the world in recent years. In fact, it is considered one of the most widespread ransomware programs today.
Now, with this free tool, many victims finally have a real chance to recover their information without giving in to digital blackmail.
Then in 2023, a new player emerged on the ransomware scene: 8Base, a group of affiliates that decided to go one step further. Using a modified version of the Phobos encryptor, they not only hijacked files, but also stole confidential information. Their technique was clear: double extortion. If you didn't pay, not only did you lose access to your data, but they also threatened to make it public.
A year later, in 2024, the pressure on these groups began to bear fruit. A Russian citizen, allegedly linked as an administrator of Phobos, was extradited from South Korea to the United States, where he faces a long list of charges related to ransomware activities.
But that wasn't all. This year, Phobos suffered a major blow: an international operation coordinated by security agencies managed to dismantle much of its infrastructure. In total, they seized 27 servers and arrested four Russian citizens believed to be at the helm of 8Base. This represents a huge step forward in the fight against this type of cybercrime.
Excerpt from the Phobos ransomware ransom note (Source: Malwarebytes)
Free Phobos and 8Base decryptor: How to recover your files without paying
The Japanese police recently released a free decryptor that allows you to recover encrypted files without paying a ransom.
Although it has not been officially disclosed how they managed to develop this tool, everything points to it being possible thanks to information gathered after the police operation that dismantled part of the Phobos network in 2024.
The decryptor is now available for download directly from the official Japanese police website, with detailed instructions in English. It is also available on Europol's NoMoreRansom platform and is backed by institutions such as Europol and the FBI, which guarantees its legitimacy and security.
Some browsers, such as Google Chrome or Firefox, may flag the file as malicious. This is due to the way the program interacts with encrypted files, but it is not a virus. In fact, multiple tests have confirmed that the decryptor works and is safe.
What types of files can it unlock?
Currently, the decryptor is compatible with files that have been encrypted with the following extensions:
-
.phobos -
.8base -
.elbie -
.faust -
.LIZARD
However, the Japanese police say that other variants may be covered, so if your files have a different extension, it is still worth trying. In tests, the decryptor was able to recover files from recent versions of the Phobos ransomware, including those that added the .LIZARD extension to the names.
Files encrypted by the “Lizard” Phobos ransomware variant (Source: BleepingComputer)
Read more: Police Dismantle DiskStation Ransomware Gang
How to use the decryptor to recover your encrypted files?
Using the free decryptor is easier than it looks. Just follow these steps and in a few minutes you could have your files back:
-
Open the decryptor and accept the license agreement.
-
If your Windows system does not have support for long file names enabled (which is common), the tool will ask you to activate it. Just confirm and restart the program to continue.
Once it restarts:
-
Select the folder where your encrypted files are located.
-
Then choose a destination folder where the decrypted files will be saved.
When you're ready, click the “Decrypt” button and let the tool do its magic.
Decryptor that successfully decrypts all files in the folder
Helpful tip: You can even select the root of a drive (for example, the entire D: drive), and the program will search for encrypted files in all subfolders. In addition, it will maintain the same folder structure in the destination, so everything will remain well organized.
At the end of the process, you will see a summary with the total number of files that were successfully recovered. A practical and secure way to restore your information without having to give in to cybercriminals' blackmail.
Decrypted files (Source: BleepingComputer)
Conclusion: An opportunity to recover your files
If you have been affected by Phobos ransomware or its 8Base variant, this is your chance. It doesn't matter if the files have unusual extensions or if you are unsure which variant infected you.
Remember: this breakthrough does not replace prevention. Keep your systems up to date, back up frequently, and train your team in good digital practices. Because even though we have this powerful tool today, ransomware is still present.
At TecnetOne, we know how important it is to stay ahead of threats. That's why we offer businesses TecnetProtect Backup, an advanced backup solution with active protection against ransomware, powered by Acronis technology.
Its main features include:
-
Real-time anti-ransomware protection, which detects and blocks suspicious processes before they can encrypt files.
-
Instant recovery of affected files without the need to pay ransoms.
-
Automatic and encrypted backups, with local, cloud, or hybrid storage.
-
Automatic integrity verification, ensuring that each backup is free of threats.
-
Granular restoration, allowing you to recover from individual files to entire systems in minutes.
-
Centralized management from an intuitive console, ideal for corporate environments.
With TecnetProtect Backup, you not only recover your information in the event of an attack, but you also prevent losses, minimize impact, and ensure business continuity. Because in cybersecurity, the best defense will always be to be prepared.
