There is good news for any organisation which has been hit by the Phobos ransomware.
Japanese police have released a free decryptor capable of recovering files encrypted by both the notorious Phobos ransomware, and its offshoot 8Base.
What is Phobos Ransomware?
Phobos first emerged in late 2018, as a ransomware-as-a-service (RaaS) operation, working with affiliates to demand payment from victims after encrypting their files.
Over the years, many organisations have found themselves in the unpleasant position of receiving ransom demands from Phobos blackmailers who not only demanded payment for a decryptor but could also threaten to publish exfiltrated files.
More recently, however, the sun has not been shining favourably on Phobos.
In November 2024, US authorities extradited a Russian national from South Korea, alleged to be an administrator of the ransomware group.
And in February 2025, the US Department of Justice (DOJ) unsealed criminal charges against two men alleged to have been Phobos affiliates who extorted over US $16 million using the ransomware. The men - both Russian citizens said to have been actively involved in ransomware attacks for five years - were arrested in Phuket, Thailand.
In co-ordination with the arrests, law enforcement agencies seized 27 servers associated with Phobos's 8Base offshoots, shutting down its operations.
All of which, of course, is great news for anybody who wants the internet to be a safer place.
And now, with the release of the Phobos decryption tool, there is an option for past victims to restore encrypted data that they might have thought was lost forever.
Japanese police have not shared details of how they managed to create the decryption tool, but it seems likely that they have been able to leverage intelligence they gained as a result of the law enforcement operation against the Phobos gang.
How can I get the Phobos decryption tool?
The Phobos decryption tool can be downloaded (alongside hundreds of other ransomware decryption tools) from the No More Ransom project's website - one of the first ports of call for any individual or company whose computer has been hit by a ransomware attack.
It should go without saying that you should always back up your important data (even if encrypted) before running any decryption tool.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
