Category: Global Ransomware Takedown
Features: Free decryptor released, international arrests, cross-border server takedown, infrastructure dismantling
Delivery Method: Phobos and 8Base ransomware variants via affiliate network
Threat Actor: Phobos administrators and affiliated syndicates (including 8Base) — multiple arrests, indictments, and extraditions confirmed
One of the Most Ruthless Ransomware Groups Just Got Dismantled
In a rare show of global coordination, Japanese authorities—alongside the FBI, Europol, and multiple international partners—have released a free decryption tool for the Phobos ransomware strain, following a major strike against the syndicate behind it. The tool, aimed at victims of both Phobos and its derivative 8Base, was developed by Japan’s National Police Agency and comes with an English-language guide for organizations looking to recover from past attacks.
This marks a milestone in ransomware defense: the first time a comprehensive decryptor has been made available for the Phobos family—a notorious group responsible for more than $16 million in extortion payouts from over 1,000 global victims since its emergence in 2019.
The Decryptor: A Long-Awaited Lifeline for Victims
The decryptor was published on Thursday, distributed via the European Cybercrime Centre (EC3) and endorsed by the FBI’s Baltimore field office, which led the U.S. criminal investigation. The release also coincides with a broader intelligence offensive that has crippled much of the group’s infrastructure.
Phobos, unlike higher-profile ransomware families like LockBit, often preyed on small-to-midsize organizations, deliberately keeping ransom demands lower—often under $100,000—to increase payment compliance and avoid triggering major headlines. But the damage it caused was anything but small.
Organizations now recovering data include healthcare providers, public schools, tribal entities, and local government services—many of which had no other option but to pay the ransom at the time of the attack.
8Base: The Spin-Off That Amplified the Threat
The 8Base group, a known spinoff of Phobos, dramatically escalated activity beginning in mid-2023. Using Phobos’s encryption methods and infrastructure, 8Base repackaged the ransomware with tailored delivery mechanisms and launched highly targeted attacks.
According to Europol, 8Base became infamous for its double extortion tactics—encrypting critical data while simultaneously stealing it, and threatening public leaks unless the ransom was paid. Some of their most high-profile victims included:
- The United Nations Development Programme (UNDP)
- The Atlantic States Marine Fisheries Commission
- A Canadian federal agency managing dental benefits for people with disabilities
The success of 8Base was built on the bones of Phobos, leveraging existing ransomware-as-a-service (RaaS) networks and scaling with ruthless efficiency.
Global Crackdown: Arrests, Extraditions, and Server Seizures
This year’s turning point came with an aggressive multinational operation involving law enforcement from the U.S., Japan, Germany, France, South Korea, and Thailand. Here are the highlights from the takedown operation:
- Evgenii Ptitsyn, a Russian national and alleged senior administrator of Phobos, was arrested in South Korea and extradited to the U.S. in November 2024.
- Another Phobos operator was arrested in Italy after a French-issued warrant.
- A sweeping raid dubbed “PHOBOS AETOR” in Phuket, Thailand, led to the arrest of two men and two women affiliated with the gang’s digital laundering and infrastructure support teams.
- Over 100 servers were seized or dismantled, neutralizing key elements of Phobos and 8Base’s operational web.
- 400 companies received alerts from the FBI and its partners warning of potential or ongoing ransomware attacks from residual actors.
The U.S. Department of Justice followed up with indictments against Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39), citing their leadership roles in managing affiliate deployment and laundering illicit gains through cryptocurrency exchanges.
Inside the Operations: How the Group Functioned
The unsealed indictment against Ptitsyn revealed a web of transactions, affiliate relationships, and digital evidence showing that Phobos functioned as a distributed RaaS ecosystem. Here’s how it worked:
- Affiliates used Phobos malware kits purchased on the dark web.
- After infecting a system and receiving a ransom, they paid about $300 per decryption key back to the Phobos admins.
- Ptitsyn personally controlled the crypto wallet used for collecting affiliate fees.
- Victims ranged from schools and hospitals to contractors working with the U.S. Department of Defense and Department of Energy.
Confirmed Victims (With or Without Ransom Payments):
| Organization Type | Location | Ransom Paid |
|---|---|---|
| Public School System | California | $300,000 |
| Accounting Firm for Federal Agencies | Maryland | $12,000 |
| Healthcare Provider | Pennsylvania | $20,000 |
| Government Contractor | Illinois | Unknown |
| Two Healthcare Groups | Maryland | $25,000 & $37,000 |
| Law Enforcement Union & Tribal Entity | New York | Unknown |
| Public School System | Connecticut | Refused to Pay |
| Children’s Hospital | North Carolina | $100,000 |
This mosaic of targets underscores Phobos’s intent: disrupt sectors with high stakes and low defenses, where downtime could result in patient harm, education collapse, or law enforcement exposure.
Final Verdict: A Blow, Not a Burial
While this takedown marks a major win for global cybersecurity forces, it’s not the end. Phobos affiliates could rebrand under new names. The RaaS ecosystem is hydra-like—cut off one head, and another often emerges.
But for now, victims have a window of relief, and the decryptor gives organizations a second chance at reclaiming their data without giving in to extortion.
This is the kind of breakthrough that only happens when agencies work together—across borders, jurisdictions, and bureaucracies—to track digital predators to their lairs.
And while cybercriminals evolve, so too must our collective response.
TRJ BLACK FILE | CYBER OPS INTEL
Decryptor Access Point: Japan National Police Agency (distributed via Europol – English version now available)
Seized Assets: Over 100 command & control servers
Global Alerts Sent: 400+ entities notified of ransomware targeting
Estimated Earnings of Group: $16.3 million
Indicted Actors: Evgenii Ptitsyn, Roman Berezhnoy, Egor Glebov + multiple international arrests
Affiliated Malware Offshoot: 8Base (Phobos variant)
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
Thanks, John. It is always nice to read an article like this. I hope that agencies can continue to work together, as you mentioned, to track digital predators to their lairs.
You’re welcome, Chris — and I’m with you 100%. Cooperation is the only way we expose what hides in the digital dark. These predators thrive in the seams between jurisdictions, firewalls, and redacted reports. But when agencies sync up — and when the public keeps asking the hard questions — the shadows shrink.
Thanks again, Chris. Hope you have a great night. 😎