The National Police Agency has developed a tool to decrypt ransomware 'Phobos' and '8Base', and how to use it is like this
The National Police Agency has developed a tool that can decrypt files encrypted by 'Phobos' and '8Base,' two types of ransomware used in crimes that encrypt files on PCs and demand a ransom.
Development of a decryption tool for files encrypted by ransomware Phobos/8Base | National Police Agency website
National Police Agency develops decryption tool for ransomware attacks, triggered by dark web: Asahi Shimbun
https://www.asahi.com/articles/AST7K32NST7KUTIL01ZM.html
Ransomware neutralization software developed and released by the National Police Agency... A system that allows data recovery with the push of a button: Yomiuri Shimbun
https://www.yomiuri.co.jp/national/20250717-OYT1T50160/
According to the National Police Agency, 'Phobos' and '8Base' are ransomware that have been confirmed to have caused at least 2,000 damages around the world. The decryption tool was developed by the Kanto Regional Police Bureau's Cyber Special Investigation Division and was provided to the European Police Organization (Europol) in June 2025.
— National Police Agency (@NPA_KOHO) July 17, 2025
You can download it from the following URL. As the usage guidelines (PDF file) note, it may be detected as malware by antivirus software. When I actually downloaded it, the virus scan performed at the time of downloading on some browsers detected it as malware and deleted it.
About using decryption tools for files encrypted by ransomware Phobos/8Base | National Police Agency website
https://www.npa.go.jp/bureau/cyber/countermeasures/ransom/phobos.html
Even after the download was completed in the browser, the file was deleted after a short time by the standard Windows security function. I found the relevant file in the 'Protection History' of 'Windows Security' and clicked 'Restore'.
The downloaded file is 'phdec_gui_v1.0.0.zip', but since it is actually an executable file (EXE file) and not a ZIP file, rename the extension and run it. Naturally, since it is an incomprehensible application, a dialog box saying 'Your PC has been protected by Windows' is displayed, so click 'More information'.
Click Run.
Unfortunately, in my environment, the message 'This app cannot be run on your PC' appeared and I was unable to launch it.
The Metropolitan Police Department has released a video showing how it will actually be used.
— National Police Agency (@NPA_KOHO) July 17, 2025
In an environment where it can be used without any problems, the executable file will be displayed with an icon like this.
When you start the app, you will be asked to agree to the terms of use, so click 'Agree'.
Depending on your environment, a dialog box regarding file path length restrictions may appear, so click 'OK'.
The User Account Control dialog box will appear, so enter your administrator password and click 'Yes'.
Click 'OK' and restart the software.
The software's startup screen looks like this:
The filenames of encrypted files are also written as random strings of characters, making it impossible to determine their origin.
Even if you open it in a text editor, you won't be able to figure out what's inside.
So, in the 'Encrypted folder/file path' input field of this decryption tool, specify the location of the folder where the encrypted files are saved. You can also specify the folder by dragging and dropping it into the input field.
Similarly, specify the output destination for the decrypted file in the “Output folder path” below.
Click on 'Encrypted' below to decrypt the file.
The decrypted files will be written to the output folder one after another.
The files that I couldn't read before can now be read properly.
Related Posts:
in Review, Software, Video, Security, Free Member, Posted by logc_nt