Month: May 2022

BOSTON – Two Springfield men were sentenced today for their roles in a large-scale drug trafficking organization supplied by sources in Mexico and spanning at least four states.  

Isaac Cardona, 34, and Rafael Cardona Sr., 61, were each sentenced by U.S. District Court Judge Timothy S. Hillman to 146 months in prison and five years of supervised release. On Oct. 18, 2021, the Cardonas were convicted by a federal jury of conspiracy to distribute and to possess with intent to distribute more than 500 grams of cocaine and one kilogram of heroin. Isaac Cardona was also convicted of conspiracy to commit money laundering.

The Cardonas were indicted in November 2017 as part of a 14-month wiretap investigation into a large-scale drug trafficking organization supplied by sources in Mexico and spanning at least four states.

The Cardonas conspired with co-defendant David Cruz to traffic cocaine and heroin from Mexico, through California, to the Springfield area and into New England. Isaac Cardona owed Cruz money for one kilogram of the cocaine Cruz had distributed to him, and, in order to pay down that debt, the Cardonas and other co-conspirators conspired to import at least one kilogram of heroin (which turned out to be pure fentanyl) from sources in Mexico. In late August 2016, Isaac Cardona traveled by car to San Diego, Calif., with cash to pay for the heroin. Cruz later traveled to San Diego, retrieved the car and the cash, and, on Sept. 8, 2016, used the cash to purchase what he believed to be one kilogram of heroin. Law enforcement in California seized the vehicle and recovered approximately one kilogram of pure fentanyl. 

Cruz previously pleaded guilty to drug and firearms offenses and is scheduled to be sentenced on June 13, 2022.

United States Attorney Rachael S. Rollins; Brian D. Boyle, Special Agent in Charge of the Drug Enforcement Administration, New England Field Division; Joleen D. Simpson, Special Agent in Charge of the Internal Revenue Service’s Criminal Investigations in Boston; and Matthew B. Millhollin, Special Agent in Charge of Homeland Security Investigations in Boston, made the announcement. Special assistance was provided by the Drug Enforcement Administration’s Carlsbad (Calif.) Resident Office and the Westfield Police Department. Assistant U.S. Attorneys Steven H. Breslow and Neil L. Desroches of Rollins’ Springfield Branch Office prosecuted the case.

The operation was conducted by a multi-agency task force through the Organized Crime Drug Enforcement Task Force (OCDETF), a partnership between federal, state and local law enforcement agencies. The principal mission of the OCDETF program is to identify, disrupt and dismantle the most serious drug trafficking, weapons trafficking and money laundering organizations, and those primarily responsible for the nation’s illegal drug supply. More information on the OCDETF program is available here: https://www.justice.gov/ocdetf/about-ocdetf.

A criminal complaint was unsealed today in federal court in Brooklyn, New York, charging Moises Luis Zagala Gonzalez (Zagala), also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and Venezuela who resides in Venezuela, with attempted computer intrusions and conspiracy to commit computer intrusions.  The charges stem from Zagala’s use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.  

Breon Peace, United States Attorney for the Eastern District of New York, and Michael J. Driscoll, Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the charges.

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” stated United States Attorney Peace.  “Combating ransomware is a top priority of the Department of Justice and of this Office.  If you profit from ransomware, we will find you and disrupt your malicious operations.”

“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems – which is an incredibly vital step in stopping the next ransomware attack,” stated Assistant Director-in-Charge Driscoll.

As charged in the criminal complaint, Zagala, a 55-year-old cardiologist who resides in Ciudad Bolivar, Venezuela, has designed multiple ransomware tools—malicious software that cybercriminals use to extort money from companies, nonprofits and other institutions, by encrypting those files and then demanding a ransom for the decryption keys.  Zagala sold or rented out his software to hackers who used it to attack computer networks. 

One of Zagala’s early products, a ransomware tool called “Jigsaw v. 2,” had, in Zagala’s description, a “Doomsday” counter that kept track of how many times the user had attempted to eradicate the ransomware.  Zagala wrote: “If the user kills the ransomware too many times, then its clear he won’t pay so better erase the whole hard drive.”

Beginning in late 2019, Zagala began advertising a new tool online—a “Private Ransomware Builder” he called “Thanos.”  The name of the software appears to be a reference to a fictional cartoon villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the figure “Thanatos” from Greek mythology, who is associated with death.  The Thanos software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals.  The user interface for the Thanos software is shown below:[1]

The screenshot shows, on the right-hand side, an area for “Recovery Information,” in which the user can create a customized ransom note.  Other options include a “data stealer” that specifies the types of files that the ransomware program should steal from the victim computer, an “anti-VM” option to defeat the testing enviornments used by security researchers, and an option, as advertised, to make the ransomware program “self-delete.” 

Rather than simply sell the Thanos software, Zagala allowed individuals to pay for it in two ways.  First, a criminal could buy a “license” to use the software for a certain period of time.  The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled for the purpose of confirming that the user had an active license.[2]  Alternatively, a Thanos customer could join what Zagala called an “affiliate program,” in which he provided a user access to the Thanos builder in exchange for a share of the profits from Ransomware attacks.  Zagala received payment both in fiat currency and cryptocurrency, including Monero and Bitcoin.

Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screennames that referred to Greek mythology.  His two preferred nicknames were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek.  In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim. 

In private chats with customers, Zagala explained to them how to deploy his ransomware products—how to design a ransom note, steal passwords from victim computers, and set a Bitcoin address for ransom payments.  As Zagala explained to one customer, discussing Jigsaw: “Victim 1 pays at the given btc [Bitcoin] address and decrypts his files.”  Zagala also noted that “there is a punishment… [i]f user reboots.  For every rerun it will punish you with 1000 files deleted.”  After Zagala explained all the features of the software, the customer replied: “Sir, I really need to say this . . . You are the best developer ever.”  Zagala responded: “Thank you that is nice to hear[.]  Im very flattered and proud.”  Zagala had only one request: “If you have time and its not too much trouble to you please describe your experience with me” in an online review.

On or about May 1, 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagala’s “affiliate program.”  Zagala responded: “Not for now.  Don’t have spots.”  But Zagala offered to license the software to CHS-1 for $500 a month with “basic options,” or $800 with “full options.” 

On or about October 7, 2020, CHS-1 asked Zagala how to establish an affiliate program of his own using Thanos.  Zagala responded with a short tutorial on how to set up a ransomware crew.  He explained that CHS-1 should find people “versed…in LAN hacking” and supply them with a version of the Thanos ransomware that was programmed to expire after a given period of time.[3]  Zagala said that he personally had “a maximum of between 10-20” affiliates at a given time, and “sometimes only 5.”  He added that hackers approached him for his software after they had gained access to a victim network:  “they come with access to [b]ig LAN, I check and then I accept[.]  they lock several big networks and we wait…If you lock networks without tape or cloud (backups)[,] almost all pay[.]” 

Zagala further explained that, sometimes, a victim network turned out to have an unexpected backup: “so no point in locking because they have backups, so in that case we only exfiltrate data,” referring to stealing victim information.  Zagala further added that he had an associate who “knows how to corrupt tapes,” meaning backups, and how to “disable[] AV,” meaning antivirus software.  Finally, Zagala offered to give CHS-1 an additional two weeks free after CHS-1’s one-month license expired, explaining “because 1 month is too little for this business…sometimes you need to work a lot to get good profit.”

Zagala’s customers favorably reviewed his products.  One individual posted a message praising Thanos in July 2020, writing “i bought the ransomware from nosophoros and it is very powerful,” and claiming that he had used Zagala’s ransomware to infect a network of approximately 3000 computers.  And, in December 2020, another user wrote a post in Russian: “We have been working with this product for over a month now, we have a good profit!  Best support I’ve met.”  Zagala has publicly discussed his knowledge that his clients used his software to commit ransomware attacks, including by linking to a news story about an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.

In or around November 2021, Zagala began using a third screenname – “Nebuchadnezzar.”  In chats with a second confidential source of the FBI (CHS-2), Zagala stated that he had switched aliases to preserve “OPSEC… operational security” because “malware analysts are all over me.” 

On or about May 3, 2022, law enforcement agents conducted a voluntary interview of a relative of Zagala who resides in Florida and whose PayPal account was used by Zagala to receive illicit proceeds.  The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming.  The individual also showed agents contact information for Zagala in his phone that matched the registered email for malicious infrastructure associated with the Thanos malware.

If convicted, the defendant faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions. 

The government’s case is being handled by the Office’s National Security and Cybercrime Section.  Assistant United States Attorneys David K. Kessler and Alexander F. Mindlin are in charge of the prosecution. 

The Defendant:

MOISES LUIS ZAGALA GONZALEZ
Age:  55
Ciudad Bolivar, Venezuela

E.D.N.Y. Docket No. 21-M-276