The US Justice Department (DOJ) on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit-sharing arrangements.
Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the ransomware to other cyber criminals to facilitate the intrusions and get a share of the bitcoin payment.
If convicted, Zagala faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.
According to US attorney Breon Peace the “multi-tasking doctor” treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers on how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran.
The Ransomware-as-a-Service (RaaS) scheme involved encrypting files belonging to companies, non-profit entities, and other institutions, and then demanding a ransom in exchange for the decryption key.
At its core, Thanos is a private ransomware builder that allows its purchasers, “known as affiliates”, to create their own custom ransomware software, which they could then use or lease to other actors, effectively widening the scope of the attacks.
An analysis by Recorded Future in June 2020 revealed that the builder comes with 43 different configuration options, calling it the first ransomware family to leverage the RIPlace technique to bypass ransomware protection features built into Windows 10.
Some of the options available include the ability to modify the ransom notes, specify the list of file types to be exfiltrated prior to encryption and settings to evade detection and self-delete the ransomware after execution.
Zagala is believed to have advertised the software on darknet cyber crime forums for $500 a month with “basic options” or $800 with “full options”, while also recruiting affiliates for the RaaS program.
The DoJ added that around 1 May 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagala’s “affiliate program”.
Zagala responded: “Not for now. Don’t have spots,” before proceeding to license the software to CHS-1 and helping the informant with tutorials on how to use the software and set up an affiliate crew.
Zagala, who received favourable reviews for his ransomware tools, was ultimately traced on 3 May 2022 after identifying a PayPal account belonging to his relative who resides in the US state of Florida, and which was used to obtain the illicit proceeds.
“The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming,” the DoJ said.