In a significant win against cybercrime, the Japanese police have unveiled a free ransomware decryptor that helps victims of Phobos and 8Base ransomware recover their encrypted files without paying a ransom. The tool has been independently tested and verified by BleepingComputer, which confirmed its effectiveness in decrypting compromised files.
Phobos, a ransomware-as-a-service (RaaS) operation, has been active since December 2018, allowing cybercriminals to deploy its encryption software in exchange for a share of the ransom. While it hasn’t gained as much public attention as other ransomware strains, it has been behind numerous global attacks, particularly targeting businesses.
In 2023, a subgroup of Phobos affiliates launched the 8Base ransomware, using a tweaked version of the original Phobos encryptor. This group adopted a more aggressive double extortion model—encrypting files and stealing data, then threatening to leak the information unless payment was made.
The international crackdown on these ransomware groups escalated in 2024, when a Russian national suspected of being a Phobos administrator was extradited from South Korea to the U.S. on a 13-count indictment. Later, a coordinated law enforcement operation dismantled the infrastructure behind the ransomware, seizing 27 servers and arresting four individuals linked to the 8Base group.
Now, leveraging intelligence reportedly gathered during these actions, the Japanese police have developed and released a decryptor tool. It is accessible via their official website and through Europol’s NoMoreRansom platform, with usage instructions available in English. Europol and the FBI are also backing the tool, underlining its legitimacy.
Though some browsers like Chrome and Firefox may flag the decryptor as malware, BleepingComputer assures users that it is safe and effective. In their test, the tool successfully decrypted all 150 files encrypted by a recent Phobos variant using the .LIZARD extension.
Currently, the decryptor supports several file extensions including .phobos, .8base, .elbie, .faust, and .LIZARD, but the Japanese authorities note it may work with additional file types as well.
To use the tool:
- Launch the decryptor and accept the license agreement.
- Enable long file name support if prompted.
- Select the encrypted files and specify an output directory.
- Click Decrypt to start the process.
The tool also supports recursive decryption—preserving the original folder structure when restoring files.
Victims of Phobos and 8Base attacks are strongly encouraged to try the decryptor, even if their files use a different extension, as it may still work.
“BleepingComputer can confirm that the decryptor successfully decrypted all 150 files encrypted by the LIZARD variant of Phobos ransomware.”
This development marks another step forward in the global fight against ransomware, giving victims a much-needed lifeline without resorting to ransom payments.