Practicing doctor allegedly shared profits generated from cybercriminals using his software.
A practicing cardiologist has been accused by the U.S. Department of Justice of creating ransomware, selling it to cybercriminals, and sharing the profits they made from it.
Moises Luis Zagala Gonzalez, a citizen of France and Venezuela who resides in Venezeula, is facing charges of attempt computer intrusion and conspiracy to commit computer intrusions.
“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” stated United States Attorney Breon Peace.
One of Zagala’s early products, a ransomware tool called “Jigsaw v. 2,” had, in Zagala’s description, a “Doomsday” counter that kept track of how many times the user had attempted to eradicate the ransomware. Zagala wrote: “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive.”
Beginning in late 2019, Zagala began advertising a new tool online—a “Private Ransomware Builder” he called “Thanos.” The Thanos software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals.
According to the Justice Department complaint, rather than simply sell the Thanos software, Zagala allowed individuals to pay for it in two ways. First, a criminal could buy a license to use the software for a certain period of time. The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled for the purpose of confirming that the user had an active license. Alternatively, a Thanos customer could join what Zagala called an “affiliate program,” in which he provided a user access to the Thanos builder in exchange for a share of the profits from Ransomware attacks. Zagala received payment both in fiat currency and cryptocurrency, including Monero and Bitcoin.
According to the Justice Department, Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screennames that referred to Greek mythology. His two preferred nicknames were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek. In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim.
The Justice Department complaint also said that in private chats with customers, Zagala explained to them how to deploy his ransomware products—how to design a ransom note, steal passwords from victim computers, and set a Bitcoin address for ransom payments. As Zagala explained to one customer, discussing Jigsaw: “Victim 1 pays at the given btc [Bitcoin] address and decrypts his files.” Zagala also noted that “there is a punishment… [i]f user reboots. For every rerun it will punish you with 1000 files deleted.” After Zagala explained all the features of the software, the customer replied: “Sir, I really need to say this . . . You are the best developer ever.” Zagala responded: “Thank you that is nice to hear[.] I’m very flattered and proud.” Zagala had only one request: “If you have time and it’s not too much trouble to you please describe your experience with me” in an online review.
On or about May 1, 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagala’s “affiliate program.” Zagala responded: “Not for now. Don’t have spots.” But Zagala offered to license the software to CHS-1 for $500 a month with “basic options,” or $800 with “full options,” according to the Justice Department.
On or about Oct. 7, 2020, CHS-1 asked Zagala how to establish an affiliate program of his own using Thanos. Zagala responded with a short tutorial on how to set up a ransomware crew. He explained that CHS-1 should find people “versed…in LAN hacking” and supply them with a version of the Thanos ransomware that was programmed to expire after a given period of time. Zagala said that he personally had “a maximum of between 10-20” affiliates at a given time, and “sometimes only 5.” He added that hackers approached him for his software after they had gained access to a victim network: “they come with access to [b]ig LAN, I check and then I accept[.] they lock several big networks and we wait…If you lock networks without tape or cloud (backups)[,] almost all pay[.]”
Zagala further explained that, sometimes, a victim network turned out to have an unexpected backup: “so no point in locking because they have backups, so in that case we only exfiltrate data,” referring to stealing victim information. Zagala further added that he had an associate who “knows how to corrupt tapes,” meaning backups, and how to “disable AV,” meaning antivirus software. Finally, Zagala offered to give CHS-1 an additional two weeks free after CHS-1’s one-month license expired, explaining “because 1 month is too little for this business…sometimes you need to work a lot to get good profit.”
Zagala’s customers favorably reviewed his products. One individual posted a message praising Thanos in July 2020, writing “i bought the ransomware from nosophoros and it is very powerful,” and claiming that he had used Zagala’s ransomware to infect a network of approximately 3,000 computers. And, in December 2020, another user wrote a post in Russian: “We have been working with this product for over a month now, we have a good profit! Best support I’ve met.” Zagala has publicly discussed his knowledge that his clients used his software to commit ransomware attacks, including by linking to a news story about an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.
According to the Justice Department, in or around November 2021, Zagala began using a third screenname – “Nebuchadnezzar.” In chats with a second confidential source of the FBI (CHS-2), Zagala stated that he had switched aliases to preserve “OPSEC… operational security” because “malware analysts are all over me.”
On or about May 3, 2022, law enforcement agents conducted a voluntary interview of a relative of Zagala who resides in Florida and whose PayPal account was used by Zagala to receive illicit proceeds. The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming. The individual also showed agents contact information for Zagala in his phone that matched the registered email for malicious infrastructure associated with the Thanos malware.
If convicted, the defendant faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.