Authorities released free decryptor for Phobos and 8base ransomware

pCisco confirms active exploitation of ISE and ISEPIC flawsppSharePoint under fire new ToolShell attacks target enterprisesppCrushFTP zeroday actively exploited at least since July 18ppHardcoded credentials found in HPE Aruba Instant On WiFi devicesppMuddyWater deploys new DCHSpy variants amid IranIsrael conflictppUS CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalogppMicrosoft issues emergency patches for SharePoint zerodays exploited in ToolShell attacksppSharePoint zeroday CVE202553770 actively exploited in the wildppSingapore warns Chinalinked group UNC3886 targets its critical infrastructureppUS CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalogppSECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54ppSecurity Affairs newsletter Round 533 by Pierluigi Paganini INTERNATIONAL EDITIONppRadiology Associates of Richmond data breach impacts 14 million peopleppFortinet FortiWeb flaw CVE202525257 exploited hours after PoC releaseppAuthorities released free decryptor for Phobos and 8base ransomwareppAnne Arundel Dermatology data breach impacts 19 million peopleppLameHug first AIPowered malware linked to Russias APT28pp5 Features Every AIPowered SOC Platform Needs in 2025ppBroadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025ppStormous Ransomware gang targets North Country HealthCare claims 600K patient data stolenppJapanese authorities released a free decryptor for Phobos and 8Base ransomware allowing victims to recover files without payingppJapanese police released the free decryptor for ransomware families which was likely built using intel from a recent gang takedown The software can be downloaded from the police website and Europols NoMoreRansom site ppThe tool works on files with extensions like phobos 8base elbie faust and LIZARD and may support others Despite false malware flags from some browsers tests confirm it works and is safe Europol and the FBI are promoting it as an official recovery solutionppNoMoreRansom warns users to remove the malware first with a reliable antivirus before using the decryptor or files may be reencrypted repeatedlyppPhobos operation uses a ransomwareasaservice RaaS model it has been active since May 2019 Based on information from open sources government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics Techniques and Procedures TTPs Phobos intrusions also involved the use of various opensource tools including Smokeloader Cobalt Strike and Bloodhound These tools are widely available and userfriendly across different operating environments contributing to the popularity of Phobos and its associated variants among various threat actorsppThreat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns They dropped hidden payloads or used internet protocol IP scanning tools such as Angry IP Scanner to search for vulnerable Remote Desktop Protocol RDP ports or by leveraging RDP on Microsoft Windows environments In March 2024 US CISA the FBI and MSISAC issued a joint cybersecurity advisory CSA to warn of attacks involving Phobos ransomware variants such as Backmydata Devos Eight Elking and FaustppIn November 2023 Cisco Talos researchers observed 8Base ransomware operators using a variant of the Phobos ransomware in recent attacks In 2023 8Base emerged from Phobos affiliates using a modified encryptor and double extortionencrypting and stealing data to force ransom paymentsppPhobos variants are usually distributed by the SmokeLoader but in 8Base campaigns it has the ransomware component embedded in its encrypted payloads The ransomware component is then decrypted and loaded into the SmokeLoader process memoryppIn June VMware Carbon Black researchers observed an intensification of the activity associated with a stealthy ransomware group named 8Base The experts observed a massive spike in activity associated with this threat actor between May and June 2023ppThe group has been active since March 2022 it focused on small and mediumsized businesses in multiple industries including finance manufacturing business services and ITppIn November 2024 Russian Phobos ransomware operator Evgenii Ptitsyn suspected of playing a key role in the ransomware operations was extradited from South Korea to the US to face cybercrime chargesppAccording to the DoJ the Phobos ransomware operation targeted over 1000 public and private entities in the United States and worldwide extorting more than 16 million in ransom paymenppThe Russian national was allegedly involved in the development sale distribution and operations of the ransomwareppEvgenii Ptitsyn and others allegedly ran an international hacking scheme since November 2020 deploying Phobos ransomware to extort victims Ptitsyn reportedly sold the ransomware on darknet forums under aliases like derxan and zimmermanx enabling other criminals to encrypt data and demand ransomppPtitsyn and his conspirators used a ransomwareasaservice RaaS model to distribute their malware to a network of affiliates Affiliates paid fees to administrators like Ptitsyn for decryption keys with payments routed via unique cryptocurrency wallets from 20212024ppIn February 2025 the US Justice Department unsealed charges against Russian nationals Roman Berezhnoy and Egor Glebov for operating a Phobos ransomware group They allegedly targeted over 1000 public and private entities worldwide extorting more than 16 million in ransom Both were arrested in a coordinated international operation that also dismantled the groups infrastructure and led to further arrestsppFollow me on Twitter securityaffairs and Facebook and MastodonppPierluigi PaganinippSecurityAffairs  hacking 8base ransomwareppppHacking July 22 2025ppHacking July 22 2025ppHacking July 22 2025ppSecurity July 22 2025ppAPT July 21 2025ppTo contact me write an email to
Pierluigi Paganini
email protected
pp
Copyrightsecurityaffairs 2024 p