Security news that informs and inspires

DoJ: Venezuelan Doctor Behind Thanos Ransomware Builder

By

The Department of Justice (DoJ) unsealed a criminal complaint against a 55-year-old cardiologist who allegedly designed and sold multiple ransomware tools, including Jigsaw v.2 and the Thanos builder.

Moises Luis Zagala Gonzalez, the alleged ransomware designer and a citizen of France and Venezuela, faces up to five years in prison for attempted computer intrusion and five years for conspiracy to commit computer intrusions if convicted, according to the DoJ. Zagala, who also goes by “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” currently lives in Ciudad Bolivar, Venezuela.

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” according to a statement by the United States Attorney Peace on Monday.

Jigsaw v.2, one of Zagala’s alleged early products, has the ability to steal victim passwords and credit card data and move laterally on the network. It is known for its “Doomsday counter” feature that would delete files on a timed, countdown basis. A decryptor was released for the ransomware by Emsisoft in 2019.

Starting in 2019, Zagala began to advertise the Thanos tool, which allows its users to create their own unique ransomware software that they could then use or rent for use by other cybercriminals. The Thanos tool includes features for “recovery information” where attackers could create a customized ransom note, a “data stealer” specifying the types of files that the ransomware should steal, “anti-VM” options to bypass security researchers’ testing environments and an option to make the ransomware self-delete. Attackers had the option to either buy a license to use Thanos for a short period of time, or join an affiliate program where they could receive access to the builder in exchange for a share of profits from the ransomware attacks. Zagala also posted links to news stories that described the use of Thanos by an Iranian state-sponsored hacking group to attack Israeli companies, according to the DoJ.

Court documents outlined decades of activity by Zagala dating back to 1997, when he began to get involved in “High Cracking University,” a select online community of elite hackers and reverse engineers, and spent years writing online postings about reverse engineering.

The documents also gave a glimpse into how law enforcement both kept tabs on and eventually identified Zagala, as well as some of the behind-the-scenes details into how malware tools are distributed and deployed. For instance, confidential sources with the FBI had communicated with Zagala over the years. After an FBI source in May 2020 inquired about affiliate program options for the Thanos ransomware, Zagala said that in order to set up a program the source should find people “versed… in LAN hacking” and supply them with a version of the Thanos ransomware that is configured to expire after a set period of time. He also offered the source an additional two weeks free after the source’s one-month license would expire, saying that one month “is too little for this business…sometimes you need to work a lot to get good profit.” He also revealed that he personally had anywhere from between five to a maximum of 20 affiliates at any given time, and that attackers would approach him for his tools after they had gained access to a victim network.

Most recently, on May 3, law enforcement officials conducted a “voluntary interview” with a relative of Zagala who resides in Florida and whose PayPal account was used by him to receive illegal proceeds. The unnamed individual relayed that Zagala lives in Venezuela and had taught himself computer programming, and revealed contact information for him that matched the registered email for malicious infrastructure associated with the Thanos malware.

"We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use," according to Assistant Director-in-Charge Driscoll in a statement. "Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven't taken steps to protect their systems - which is an incredibly vital step in stopping the next ransomware attack.”