‘Thanos’ Ransomware Builder Was Designed by a Physician
A French-Venezuelan Doctor Allegedly Created “Thanos” Ransomware and Other Cybercriminal Tools.
First detected in February 2020, the Thanos ransomware was advertised for sale on dark web forums. Using a built-in constructor, the Thanos ransomware lets actors make changes to the sample according to their preferences. A Thanos version was used in assaults on two state-owned institutions in the Middle East and North Africa, which we think of with high confidence.
The United States Department of Justice announced today that a cardiologist named Moises Luis Zagala Gonzalez (Zagala), who is 55 years old and lives in Ciudad Bolivar, Venezuela, rented the Jigsaw and Thanos ransomware programs to individuals who commit cybercrime.
Zagala, also known as Nosophoros, Aesculapius, and Nebuchadnezzar, provided help to other cybercriminals who purchased the ransomware and shared the earnings made from victims all around the globe.
A criminal complaint was unsealed today in federal court in Brooklyn, New York, charging Moises Luis Zagala Gonzalez (Zagala), also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and Venezuela who resides in Venezuela, with attempted computer intrusions and conspiracy to commit computer intrusions. The charges stem from Zagala’s use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.
Breon Peace, United States Attorney for the Eastern District of New York, and Michael J. Driscoll, Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the charges.
“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” stated United States Attorney Peace. “Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations.”
“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems – which is an incredibly vital step in stopping the next ransomware attack,” stated Assistant Director-in-Charge Driscoll.
At the same time that Zagala was operating an affiliate scheme through which hackers shared the income they made from ransomware, he was also licensing the Thanos virus using a licensing server that he housed in Charlotte, North Carolina.
This ransomware strain was no longer being submitted to ID-Ransomware after the month of February 2022, and the ransomware constructor was leaked on VirusTotal in the month of June 2021.
As BleepingComputer explained, because various encryption extensions were used by affiliates, certain versions of the Thanos ransomware were originally misidentified as belonging to the Prometheus, Haron, or Hakbit ransomware families, but the researchers from the Insikt Group at Recorded Future revealed that both are the same malicious software.
Based on code similarity, string reuse, and core functionality, Insikt Group assesses with high confidence that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros.
According to a press release issued by the Department of Justice (DOJ), Zagala is accused of publicly discussing how his “clients” used his tools in ransomware attacks. This allegedly included linking to a news story about an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.
Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screennames that referred to Greek mythology. His two preferred nicknames were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek. In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim.
In private chats with customers, Zagala explained to them how to deploy his ransomware products—how to design a ransom note, steal passwords from victim computers, and set a Bitcoin address for ransom payments. As Zagala explained to one customer, discussing Jigsaw: “Victim 1 pays at the given btc [Bitcoin] address and decrypts his files.” Zagala also noted that “there is a punishment… [i]f user reboots. For every rerun it will punish you with 1000 files deleted.” After Zagala explained all the features of the software, the customer replied: “Sir, I really need to say this . . . You are the best developer ever.” Zagala responded: “Thank you that is nice to hear[.] Im very flattered and proud.” Zagala had only one request: “If you have time and its not too much trouble to you please describe your experience with me” in an online review.
After conducting an interview with one of Zagala’s relatives in May 2022, law enforcement officers were able to connect him to the Thanos ransomware operation. The conversation was conducted after the relative used a PayPal account to collect part of Zagala’s illegal gains from the ransomware operation.
Zagala may face up to five years in jail if he is found guilty of both the attempted computer intrusion and the conspiracy to conduct computer intrusion charges. Both of these charges have a maximum sentence of five years.