Security News: Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals

Source: United States Department of Justice News

Defendant, a Doctor, Designed Software With “Doomsday Counter,” Shared in Profits from Ransomware Attacks, and Bragged about Use by Iranian State-Sponsored Hacking Group

A criminal complaint was unsealed today in federal court in Brooklyn, New York, charging Moises Luis Zagala Gonzalez (Zagala), also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and Venezuela who resides in Venezuela, with attempted computer intrusions and conspiracy to commit computer intrusions.  The charges stem from Zagala’s use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.  

Breon Peace, United States Attorney for the Eastern District of New York, and Michael J. Driscoll, Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the charges.

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” stated United States Attorney Peace.  “Combating ransomware is a top priority of the Department of Justice and of this Office.  If you profit from ransomware, we will find you and disrupt your malicious operations.”

“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems – which is an incredibly vital step in stopping the next ransomware attack,” stated Assistant Director-in-Charge Driscoll.

As charged in the criminal complaint, Zagala, a 55-year-old cardiologist who resides in Ciudad Bolivar, Venezuela, has designed multiple ransomware tools—malicious software that cybercriminals use to extort money from companies, nonprofits and other institutions, by encrypting those files and then demanding a ransom for the decryption keys.  Zagala sold or rented out his software to hackers who used it to attack computer networks. 

One of Zagala’s early products, a ransomware tool called “Jigsaw v. 2,” had, in Zagala’s description, a “Doomsday” counter that kept track of how many times the user had attempted to eradicate the ransomware.  Zagala wrote: “If the user kills the ransomware too many times, then its clear he won’t pay so better erase the whole hard drive.”

Beginning in late 2019, Zagala began advertising a new tool online—a “Private Ransomware Builder” he called “Thanos.”  The name of the software appears to be a reference to a fictional cartoon villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the figure “Thanatos” from Greek mythology, who is associated with death.  The Thanos software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals.  The user interface for the Thanos software is shown below:[1]

The screenshot shows, on the right-hand side, an area for “Recovery Information,” in which the user can create a customized ransom note.  Other options include a “data stealer” that specifies the types of files that the ransomware program should steal from the victim computer, an “anti-VM” option to defeat the testing enviornments used by security researchers, and an option, as advertised, to make the ransomware program “self-delete.” 

Rather than simply sell the Thanos software, Zagala allowed individuals to pay for it in two ways.  First, a criminal could buy a “license” to use the software for a certain period of time.  The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled for the purpose of confirming that the user had an active license.[2]  Alternatively, a Thanos customer could join what Zagala called an “affiliate program,” in which he provided a user access to the Thanos builder in exchange for a share of the profits from Ransomware attacks.  Zagala received payment both in fiat currency and cryptocurrency, including Monero and Bitcoin.

Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screennames that referred to Greek mythology.  His two preferred nicknames were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek.  In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim. 

In private chats with customers, Zagala explained to them how to deploy his ransomware products—how to design a ransom note, steal passwords from victim computers, and set a Bitcoin address for ransom payments.  As Zagala explained to one customer, discussing Jigsaw: “Victim 1 pays at the given btc [Bitcoin] address and decrypts his files.”  Zagala also noted that “there is a punishment… [i]f user reboots.  For every rerun it will punish you with 1000 files deleted.”  After Zagala explained all the features of the software, the customer replied: “Sir, I really need to say this . . . You are the best developer ever.”  Zagala responded: “Thank you that is nice to hear[.]  Im very flattered and proud.”  Zagala had only one request: “If you have time and its not too much trouble to you please describe your experience with me” in an online review.

On or about May 1, 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagala’s “affiliate program.”  Zagala responded: “Not for now.  Don’t have spots.”  But Zagala offered to license the software to CHS-1 for $500 a month with “basic options,” or $800 with “full options.” 

On or about October 7, 2020, CHS-1 asked Zagala how to establish an affiliate program of his own using Thanos.  Zagala responded with a short tutorial on how to set up a ransomware crew.  He explained that CHS-1 should find people “versed…in LAN hacking” and supply them with a version of the Thanos ransomware that was programmed to expire after a given period of time.[3]  Zagala said that he personally had “a maximum of between 10-20” affiliates at a given time, and “sometimes only 5.”  He added that hackers approached him for his software after they had gained access to a victim network:  “they come with access to [b]ig LAN, I check and then I accept[.]  they lock several big networks and we wait…If you lock networks without tape or cloud (backups)[,] almost all pay[.]” 

Zagala further explained that, sometimes, a victim network turned out to have an unexpected backup: “so no point in locking because they have backups, so in that case we only exfiltrate data,” referring to stealing victim information.  Zagala further added that he had an associate who “knows how to corrupt tapes,” meaning backups, and how to “disable[] AV,” meaning antivirus software.  Finally, Zagala offered to give CHS-1 an additional two weeks free after CHS-1’s one-month license expired, explaining “because 1 month is too little for this business…sometimes you need to work a lot to get good profit.”

Zagala’s customers favorably reviewed his products.  One individual posted a message praising Thanos in July 2020, writing “i bought the ransomware from nosophoros and it is very powerful,” and claiming that he had used Zagala’s ransomware to infect a network of approximately 3000 computers.  And, in December 2020, another user wrote a post in Russian: “We have been working with this product for over a month now, we have a good profit!  Best support I’ve met.”  Zagala has publicly discussed his knowledge that his clients used his software to commit ransomware attacks, including by linking to a news story about an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.

In or around November 2021, Zagala began using a third screenname – “Nebuchadnezzar.”  In chats with a second confidential source of the FBI (CHS-2), Zagala stated that he had switched aliases to preserve “OPSEC… operational security” because “malware analysts are all over me.” 

On or about May 3, 2022, law enforcement agents conducted a voluntary interview of a relative of Zagala who resides in Florida and whose PayPal account was used by Zagala to receive illicit proceeds.  The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming.  The individual also showed agents contact information for Zagala in his phone that matched the registered email for malicious infrastructure associated with the Thanos malware.

If convicted, the defendant faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions. 

The government’s case is being handled by the Office’s National Security and Cybercrime Section.  Assistant United States Attorneys David K. Kessler and Alexander F. Mindlin are in charge of the prosecution. 

The Defendant:

MOISES LUIS ZAGALA GONZALEZ
Age:  55
Ciudad Bolivar, Venezuela

E.D.N.Y. Docket No. 21-M-276

 


[1] On September 14, 2020, an FBI agent surreptitiously purchased a license for Thanos from Zagala, and downloaded the software. 

[2] This server has been taken offline.

[3] “LAN” stands for “local area network” and refers to a computer network that interconnects computers within a limited area such as an office building.