Japanese police release decryptor for Phobos ransomware after February takedown

Victims of Phobos and 8Base ransomware incidents will now have access to a decryptor thanks to Japan’s National Police Agency. 

On Thursday, Japanese officials published the free decryption tool and a guide in English for organizations impacted by the group’s attacks. U.S. prosecutors previously said operators of the strains collected upwards of $16 million from about 1,000 victims worldwide dating back to 2019. 

The tool was shared by the European Cybercrime Centre and the FBI, which noted that its Baltimore office led an investigation that culminated in charges against Phobos affiliates earlier this year. 

Phobos is best known for accepting significantly smaller ransoms from attacks, including several under $100,000. 

U.S. authorities warned in February 2024 that Phobos attacks were impacting state, local, tribal and territorial governments — damaging “municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.”

The spinoff operation named 8Base ramped up its activity in the summer of 2023 and the group claimed responsibility for high-profile attacks on the United Nations Development Programme and the Atlantic States Marine Fisheries Commission as well as a Canadian agency that administers dental benefit plans for disabled people in Alberta.

“Taking advantage of Phobos’s infrastructure, 8Base developed its own variant of the ransomware, using its encryption and delivery mechanisms to tailor attacks for maximum impact,” Europol said earlier this year. 

“This group has been particularly aggressive in its double extortion tactics, not only encrypting victims' data but also threatening to publish stolen information unless a ransom was paid.”

A gang on the rocks

U.S. law enforcement efforts culminated in the arrest and extradition of Russian national Evgenii Ptitsyn — an alleged Phobos administrator — from South Korea in November. Another Phobos actor was arrested in Italy in 2023 after French authorities issued an arrest warrant.

The indictment of Ptitsyn revealed significant information about the group’s inner workings and victims, which include:

• The California public school system, which paid the $300,000 ransom in the summer of 2023.
• A Maryland-based company that provided accounting and consulting services to federal agencies. It paid a $12,000 ransom in early 2021.
• A Pennsylvania healthcare organization that paid $20,000 in the spring of 2022.
• An Illinois-based contractor for the U.S. departments of Defense and Energy. The indictment does not specify whether it made a payment.
• Maryland healthcare organizations that paid ransoms of $25,000 and $37,000 in the summer of 2022.
• A New York-based law enforcement union and a federally recognized tribe in the summer of 2022. The indictment does not specify whether either made a payment.
• A Connecticut public school system in the summer of 2023. It did not pay the ransom, prosecutors said.
• A North Carolina children’s hospital in the fall of 2023. It paid $100,000.

Earlier this year, two men and two women were arrested after raids on locations in Phuket, Thailand in an operation police in the country called “PHOBOS AETOR.” 

The U.S. Department of Justice unsealed an array of criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, for their alleged roles in using Phobos to earn more than $16 million.

The indictments were part of a global law enforcement takedown of the group. The FBI, alongside law enforcement agencies in Germany, Japan and more, took down more than 100 servers used as part of the Phobos scheme and warned more than 400 companies worldwide of ongoing or imminent ransomware attacks.

Phobos administrators made money by conducting their own ransomware attacks, the indictment says, and by distributing the malicious code on the dark web to affiliates. When those users successfully encrypted a victim’s files, they paid about $300 to the administrators for a one-time decryption key that could be exchanged for a ransom payment. Ptitsyn personally controlled the cryptocurrency wallet for the fees from affiliates, prosecutors said.

Phobos was particularly damaging because it focused its efforts on attacking smaller businesses and organizations that typically lacked the kind of cybersecurity protections needed to defend against ransomware.