262/68 Monday, July 21, 2025
Japan’s cybersecurity authorities, in collaboration with Europol and the FBI, have released a free decryption tool for victims of the Phobos and 8Base ransomware strains, allowing affected users to recover their encrypted files without paying ransom. The tool is available for download on the Japanese Police Agency’s website and the international No More Ransom project. It supports files with extensions such as .phobos, .8base, .elbie, .faust, .LIZARD, and other related variants. Victims are advised to remove any active malware from their systems before using the decryptor to avoid the risk of re-encryption.
Phobos operates as a Ransomware-as-a-Service (RaaS) and has been active since 2019, spawning numerous variants like Backmydata, Devos, Eight, Elking, and Faust. Attackers commonly utilize open-source tools such as SmokeLoader, Cobalt Strike, and BloodHound to infiltrate target systems via phishing emails, RDP port scans, and payload obfuscation techniques. The 8Base ransomware group, considered an affiliate of Phobos, has gained notoriety since mid-2023 for aggressively targeting small and medium-sized businesses using double extortion tactics—encrypting files and threatening to leak stolen data if ransoms are not paid.
Law enforcement agencies have been intensifying their crackdown on the Phobos ransomware network. In November 2024, U.S. authorities extradited Evgenii Ptitsyn, a Russian national, from South Korea to face trial in the United States. He is accused of being linked to over 1,000 ransomware attacks globally, causing an estimated $16 million in damages. Known on the darknet as “derxan” and “zimmermanx,” Ptitsyn reportedly managed Phobos’s RaaS operations and distributed the malware to affiliate networks worldwide. In February 2025, the U.S. Department of Justice issued arrest warrants for additional co-conspirators, including Roman Berezhnoy and Egor Glebov, and seized infrastructure related to the ransomware group.
