Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Feds Say 'Multi-Tasking Doctor' Built Thanos Ransomware

Cardiologist in Venezuela Charged With Developing Malware and Recruiting Affiliates
Feds Say 'Multi-Tasking Doctor' Built Thanos Ransomware
Partially redacted identity document provided to a cryptocurrency platform by Moises Luis Zagala Gonzalez, who's been charged with developing Thanos ransomware (Source: DOJ)

U.S. authorities have charged a cardiologist based in Venezuela with developing and selling notorious ransomware called Thanos as well as recruiting affiliates to use it against victims.

See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You'll Meet Your Adversaries

On Monday, a criminal complaint was unsealed in New York federal court, charging Moises Luis Zagala Gonzalez - aka "Nosophoros," "Aesculapius" and "Nebuchadnezzar" - with attempted computer intrusions and conspiracy to commit computer intrusions. The defendant, who is not in U.S. custody, faces up to 10 years of imprisonment if convicted of both charges.

"The charges stem from Zagala's use and sale of ransomware, as well as his extensive support of, and profit-sharing arrangements with, the cybercriminals who used his ransomware programs," the U.S. Attorney's Office for the Eastern District of New York says.

Zagala, 55, is a practicing cardiologist with both French and Venezuelan citizenship who resides in Ciudad Bolivar, Venezuela, U.S. authorities say.

"As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran," says U.S. Attorney Breon Peace.

Zagala has been accused of creating and selling multiple types of malware, including Jigsaw v2, which was first spotted in 2016. The screen-locking ransomware, which did not encrypt files, threatened users with a countdown timer - telling them that the longer they waited to pay, the more files would become unrecoverable and the greater the amount of ransom they would have to pay.

Jigsaw's ransom note (Source: ESET)

Visually, the ransomware referenced the "torture porn" horror film series "Saw." In particular, the film's fictional serial killer, John Kramer, is nicknamed the Jigsaw Killer, and communicates with victims using a puppet called "Billy," which Jigsaw used in its ransom note.

Thanos Ransomware

Thanos ransomware was first spotted in the wild in August 2020.

"The name of the software appears to be a reference to a fictional comic book villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the figure 'Thanatos' from Greek mythology, who is associated with death," the U.S. Department of Justice says.

In September 2020, reports emerged that suspected Iranian nation-state hackers had begun to wield Thanos.

Zagala, using the username Nosophoros, on Oct. 24, 2020, posted links to news stories about an Iranian APT group targeting Israeli firms via a thread on a cybercrime forum with the subject line "[SALE] Private Ransomware Builder Designed for Companies Targeted Attacks," according to court documents.

Thanos has been sold on the Raid cybercrime forum, threat intelligence firm Intel 471 reported in late 2020, designating the ransomware as not being a big player, but one level down, in a category it called "up and coming." While many types of ransomware are tied to a group that provides it as a service and that maintains a dedicated data leak site to try and name and shame victims into paying a ransom, Thanos did not have a data leak site.

Some Thanos infections were distributed by users of the Trickbot botnet, cybersecurity firm Group-IB reported in late 2020.

Ransomware Supply

Prosecutors allege Thanos was supplied to criminals in two ways:

  • License: Users could purchase a time-limited software license, with the software occasionally contacting a server based in Charlotte, North Carolina, to verify that the license was authentic and still active. According to court documents, a confidential source working with the FBI was told by Zagala via private chats that monthly pricing was $500 for "basic options" or $800 for "full options." Authorities say the server has been taken offline.
  • Affiliate: As with other ransomware-as-a-service operations, users could sign up as affiliates, in which they agree to share with the operators a specified split of every ransom a victim pays. "Zagala received payment both in fiat currency and cryptocurrency, including Monero and Bitcoin," prosecutors say. According to court documents, Zagala told the FBI's source that he tended to have between 10 to 20 affiliates at any one time, but "sometimes only five."

Authorities say Zagala not only supplied Thanos, but also instructed users in how to use it and shared tips for building and maintaining one's own affiliate program. According to court documents, Zagala told a second confidential FBI informant via private chat that "big profit comes from RDP," referring to using stolen or brute-forced remote desktop protocols to remotely access a victim's network to deploy the ransomware to lock their files and hold the organization to ransom (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).

Evidence Detailed in Complaint

Earlier this month, law enforcement agents interviewed a Florida-based relative of Zagala, who told them Zagala lived in Venezuela and had taught himself computer programming, according to court documents. The Florida relative also showed his phone to agents, who said Zagala's email address was the same as the email address "used to register the Thanos control server."

Moises Luis Zagala Gonzalez (Photo: DOJ)

The FBI reports that some buyers of Zagala's products, including Jigsaw and Thanos, were instructed to send their payments to a PayPal account registered under the name "Moises Zagala," which uses the same email address as the email shared by his relative and lists a street address in Ciudad Bolivar, Venezuela.

Among other evidence, the FBI says it has evidence of a cryptocurrency trading platform account with the username "Nosophoros" and "Moises Luis Zagala Gonzalez" as the full name, which uses the same email address. As detailed in the unsealed criminal complaint, signed by FBI Special Agent Chris Clarke, Zagala allegedly told Clarke - who had purchased a copy of Thanos while acting undercover - to send payment to that cryptocurrency platform account.

This screenshot of the Thanos interface shows an area for "Recovery Information," in which users can create a customized ransom note, while the field at the bottom left, "Extensions to Process," allows Thanos users to select the kinds of files that will be encrypted in the ransomware attack. (Source: DOJ, click to enlarge)

In addition, U.S. Customs and Border Protection said Zagala had entered the U.S. multiple times and confirmed that had been his email address when he did so, according to court documents.

Unusual Twist

Some experts say the charges against Zagala are particularly disturbing given his profession and the potential for his ransomware to be used against healthcare entities.

"The ultimate potential harm of ransomware to patients is death," says regulatory attorney Rachel Rose. "The fact that a physician, a person with intimate knowledge of how patient care could be impacted, [did this] is something that every organization should be aware of. Know who you are hiring, who is on your medical staff, and train employees to look out for internal activity," she says.

Former federal prosecutor Andrew Wirmani, an attorney at the law firm Reese Marketos LLP who is not involved in the Zagala case, offers a similar assessment. "The notion that a cardiologist has anything to do with ransomware is pretty out of left field. Profiting by providing cybercriminals with the tools they need to commit crime is definitely egregious conduct," he says.

Venezuela and the U.S have an extradition treaty, Wirmani says, "so Zagala should eventually be brought to the U.S. to face charges. The process can take several years."

Executive Editor Marianne Kolbasuk McGee contributed to this report.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.