The US Justice Department on Monday accused a 55-year-old Venezuelan cardiologist of being the mastermind behind Thanos ransomware, accusing him of using and selling the malicious tool and making profit-sharing deals.
Moises Luis Zagala Gonzalez, also known as Nosophoros, Aesculapius, and Nebuchadnezzar, allegedly both developed and marketed the ransomware to other cybercriminals to facilitate intrusions and get a share of the payment in bitcoins.
If convicted, Zagala faces up to five years in prison for attempted computer intrusion and five years in prison for conspiracy to commit computer intrusions.
“The versatile doctor cared for patients, created and named his cyber tool after deathtook advantage of a global ransomware ecosystem in which it sold the tools to carry out ransomware attacks, trained attackers on how to extort victims, and then bragged about successful attacks, including by malicious actors associated with the Iranian government,” US attorney Breon Peace said. mentioned.
The ransomware-as-a-service (RaaS) system involved encrypting files belonging to corporations, nonprofits, and other institutions and then demanding a ransom in exchange for the decryption key.
At its core, Thanos is a private ransomware builder that allows its buyers (aka affiliates) to create their own custom ransomware, which they could then use or rent to other actors, expanding the scope of attacks.
A analysis by Recorded Future in June 2020 revealed that the builder comes with 43 different configuration options, calling it the first ransomware family to take advantage of the RIPlace technical to bypass the ransomware protection features built into Windows 10.
Available options include the ability to edit ransom notes, specify list of file types to exfiltrate before encryption, and settings to evade detection and automatically remove ransomware after execution.
Zagala is believed to have advertised the software on darknet cybercrime forums for $500 per month with “basic options” or $800 with “full options”, while recruiting affiliates for the RaaS program.
“On or about May 1, 2020, a confidential FBI human source (CHS-1) discussed joining Zagala’s ‘affiliate program,'” the DoJ said. “Zagala replied, ‘Not at the moment. I have no spots,” before proceeding to license the software to CHS-1 and help the informant with tutorials on how to use the software and set up an affiliate team.
Zagala, who received favorable reviews for his ransomware tools, was finally tracked down on May 3, 2022, after identifying a PayPal account belonging to his relative who resides in the US state of Florida which was used to obtain the illicit proceeds. .
“The individual has confirmed that Zagala resides in Venezuela and taught himself computer programming,” the DoJ said.