Free Decryption Tool Released for Phobos and 8Base Ransomware: End of the Line for These Notorious Threats
Until recently, victims of the Phobos and 8Base ransomware families had virtually no recourse for recovering their encrypted data without paying a ransom. These strains were considered among the most resilient and widely deployed in the world. But now, there is a glimmer of hope: the Japanese police have developed and publicly released a free decryption tool capable of restoring encrypted files.
Phobos first surfaced in late 2018 and swiftly gained traction due to its ransomware-as-a-service (RaaS) model. This allowed cybercriminals to rent attack tools from the malware’s creators in exchange for a share of the ransom. Though Phobos received less media attention than some other threat groups, it became a prolific engine of attacks, primarily targeting corporate infrastructure.
In 2023, a group affiliated with Phobos launched its own initiative—8Base. While based on a modified version of the original ransomware, 8Base introduced a new layer of coercion: beyond data encryption, it also exfiltrated sensitive information and threatened public exposure, significantly increasing pressure on its victims.
A decisive turning point came in 2024, when an international law enforcement operation dealt a major blow to the infrastructure supporting Phobos and 8Base. Authorities from multiple nations collaborated to arrest four alleged leaders of 8Base, seize 27 servers, and extradite a Russian national to the United States, where he faces 13 criminal charges for allegedly coordinating Phobos-related operations.
It is believed that forensic evidence collected during the investigation enabled the creation of the decryption utility. Japanese authorities have made the tool publicly available without revealing the underlying technical details. It can be downloaded from the official police website and is also hosted on the NoMoreRansom platform with support from Europol. Instructions are provided in English.
Experts caution that due to the way some browsers handle signature verification, tools like Chrome and Firefox may mistakenly flag the decryption file as malicious and block the download.
Currently, the tool supports file extensions including .phobos, .8base, .elbie, .faust, and .LIZARD—though this is not an exhaustive list. Even if your files are encrypted under a different extension, it may still be compatible and worth attempting decryption.
BleepingComputer conducted its own tests using a virtual machine infected with a recent Phobos variant that appends the .LIZARD suffix to filenames. After launching the decryption tool, all 150 encrypted documents were successfully restored.
The utility’s operation is straightforward. Upon launch, users must accept a license agreement. If the operating system lacks support for long filenames, the tool prompts the user to adjust settings and restart itself. The user then selects the folder containing encrypted files and designates an output directory for the restored data. Both individual directories and full-disk processing are supported, with the folder structure faithfully reconstructed.
Upon completion, the tool displays a summary of successfully decrypted files. During testing, no errors were reported.
