A criminal complaint was unsealed today in federal court in Brooklyn, New York, charging Moises Luis Zagala Gonzalez (Zagala), also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and Venezuela who resides in Venezuela, with attempted computer intrusions and conspiracy to commit computer intrusions. The charges stem from Zagala’s use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.
Cardiologist Turns Hacker – Moises Luis Zagala Gonzalez, a cardiologist in Venezuela, is the alleged creator behind the Jigsaw v.2 and Thanos ransomware strains.
Beginning in late 2019, Zagala began advertising a new tool online—a “Private Ransomware Builder” he called “Thanos.” The name of the software appears to be a reference to a fictional cartoon villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the figure “Thanatos” from Greek mythology, who is associated with death. The Thanos software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals. The user interface for the Thanos software is shown below:
The screenshot shows, on the right-hand side, an area for “Recovery Information,” in which the user can create a customized ransom note. Other options include a “data stealer” that specifies the types of files that the ransomware program should steal from the victim computer, an “anti-VM” option to defeat the testing environments used by security researchers, and an option, as advertised, to make the ransomware program “self-delete.”
Rather than simply sell the Thanos software, Zagala allowed individuals to pay for it in two ways. First, a criminal could buy a “license” to use the software for a certain period of time. The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled for the purpose of confirming that the user had an active license. Alternatively, a Thanos customer could join what Zagala called an “affiliate program,” in which he provided a user access to the Thanos builder in exchange for a share of the profits from Ransomware attacks. Zagala received payment both in fiat currency and cryptocurrency, including Monero and Bitcoin.
Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screen names that referred to Greek mythology. His two preferred nicknames were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek. In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim.
In private chats with customers, Zagala explained to them how to deploy his ransomware products—how to design a ransom note, steal passwords from victim computers, and set a Bitcoin address for ransom payments. As Zagala explained to one customer, discussing Jigsaw: “Victim 1 pays at the given btc [Bitcoin] address and decrypts his files.” Zagala also noted that “there is a punishment… [i]f user reboots. For every rerun it will punish you with 1000 files deleted.” After Zagala explained all the features of the software, the customer replied: “Sir, I really need to say this... You are the best developer ever.” Zagala responded: “Thank you that is nice to hear[.] Im very flattered and proud.” Zagala had only one request: “If you have time and its not too much trouble to you please describe your experience with me” in an online review.