Cyberattack image (©Reuters)
As cross-border cyberattacks escalate, Japan's National Cyber Department at the National Police Agency (NPA) has captured international attention. By collaborating with overseas law enforcement agencies, the unit successfully developed the world's first tool to restore data encrypted by a specific strain of ransomware.
Its release marks a significant milestone in the global fight against cybercrime.
First-of-Its-Kind Decryption Tool
The tool, released in July 2025, targets ransomware deployed by the cybercrime groups Phobos and 8Base. When servers are infected, data is encrypted, and attackers typically demand payment in exchange for the decryption key.
The NPA's new software, a decryption tool, can reverse this encryption in seconds to hours, provided the data itself remains intact. This allows victims to recover their files without having to pay a ransom.
According to the NPA, the tool has already been used successfully in at least ten domestic cases involving private companies. In each instance, the data was fully restored. Globally, Phobos-related ransomware has hit more than 2,000 organizations in 22 countries since 2018. This includes about 90 companies and municipalities across 29 prefectures in Japan since 2020.
Although it marks only the second time the Japanese police have developed such a tool, international recognition is already high.
Discovery on the Dark Web
The breakthrough came from an unexpected source. Investigators discovered a program on the dark web that cybercriminals had used to generate Phobos ransomware. On its own, this "builder tool" could not decrypt files, but it revealed important details about the ransomware's structure.
Then, in November 2024, the FBI arrested a Russian national believed to be a Phobos administrator and seized his computer systems. The FBI shared system data with the NPA, giving Japanese investigators new material to analyze.
Earlier in 2025, a 30-something NPA technologist succeeded in identifying the encryption "key." With it, the agency completed the decryption tool and provided it to Europol and the FBI, both of which confirmed its effectiveness.
Japan Steps Up Cyber Defense
For years, Japan's cyber defenses were perceived as lagging behind those of Europe and the United States. To close the gap, the NPA established the cyber investigation team in April 2022. It was later expanded into a full department with more than 300 staff focused on advanced analysis and tool development.
The unit has already collaborated with overseas agencies against major groups, such as LockBit, once considered the world's most notorious hacker collective. In December 2023, it independently developed a tool to restore data encrypted by LockBit, underscoring Japan's growing presence in the global fight against cybercrime.
An NPA official credited the latest breakthrough to "always keeping tool development in mind, and to skilled personnel who honed their expertise through constant collaboration and competition."
Global Availability and Impact
The new decryption tool is available not only on the NPA's official website but also through The No More Ransom Project, a multilingual platform created by Europol and other partners. This makes it accessible to victims worldwide.
Masakatsu Morii, a professor in the Department of Electrical and Electronic Engineering at Kobe University's Graduate School of Engineering, praised the breakthrough.
"This shows Japan now has capabilities on par with the world's best. With a tool accessible via browser, businesses can resume operations quickly even if ransomware halts them."
He added that cross-border investigative networks are "indispensable" in tackling international cybercrime groups, and stressed that "Japan's police are playing an increasingly vital role on the global stage."
Speaking to JAPAN Forward, cybersecurity expert Mihoko Matsubara emphasized the global scale of the threat. According to the World Economic Forum, cybercrime now constitutes the world’s third-largest economy, after the United States and China. Ransomware, she explained, can disrupt factories, hospitals, and even entire supply chains, making international cooperation indispensable.
"It was an important step for the Japanese NPA to have found a decryption key for Phobos/8Base ransomware and share it with other law enforcement agencies globally," she said. At the same time, Matsubara cautioned that cyber criminals are constantly evolving. "It is essential for all organizations to adopt basic cyber hygiene in order to minimize potential damage from future attacks."
RELATED:
- North Korea Using IT Workers Abroad for Cybercrime and Sanctions Evasion
- DMM Bitcoin Hit by North Korean Hackers in Crypto Theft
- EDITORIAL | Digital Society's Risks Exposed in Global Systems Failure
Author: The Sankei Shimbun, JAPAN Forward
