A cardiologist from Ciudad Bolivar, Venezuela was accused by the U.S. government of being a hacker and of having designed a state-sponsored data hijacking system (ransomware) of Iran.
by Maibort Petit
Moises Luis Zagala Gonzalez, 55, would be the author of two ransomware strains called Jigsaw v.2 and Thanos, according to the U.S. government indictment.
According to federal investigators, Zagala sold and rented the ransomware tools to cybercriminals starting in 2019 and taught scammers how to use the programs.
The lawsuit, unsealed in Brooklyn Federal Court in New York City, says the Venezuelan doctor designed the software with the "doomsday counter," shared profits from ransomware attacks and boasted of use by a hacking group sponsored by the Islamic Republic of Iran.
Moisés Luis Zagala González, also known as "Nosophoros", "Esculapio" and "Nebuchadnezzar", is a French-Venezuelan citizen residing in Venezuela, who was accused of carrying out computer intrusions and conspiring to commit computer intrusions.
The charges against Zagala Gonzalez stem from the use and sale of the software, as well as her extensive support and profit-sharing deals with the cybercriminals who used her ransomware programs.
The criminal complaint, Zagala says the cardiologist based in Ciudad Bolivar, Venezuela, designed multiple tools for ransomware, malicious software that cybercriminals use to extort money from businesses, nonprofits and other institutions by encrypting those files, and then demanding a ransom for the decryption keys.
"Zagala sold or rented its software to hackers who used it to attack computer networks," the indictment warns.
One of Zagala's first products, the strain of a ransomware tool called "Jigsaw v. 2", had, in Zagala's description, a "Doomsday" counter that recorded how many times the user had tried to eradicate the ransomware. Zagala wrote: "If the user removes the ransomware too many times, it is clear that he will not pay, so it is better that he erases the entire hard drive."
In late 2019, Zagala began announcing a new online tool: a "Private Ransomware Generator" which he called "Thanos." The name of the software, federal documents say, appears to be a reference to a fictional cartoon villain named Thanos, responsible for destroying half of all life in the universe, as well as a reference to the figure "Thanatos" from Greek mythology, which is associated with death.
Thanos' software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals. The user interface of the Thanos software is shown below.
The screenshot shows, on the right side, an area for "Recovery Information", in which the user can create a custom ransom note. Other options include a "data thief" that specifies the types of files that the ransomware program should steal from the victim's computer, an "anti-VM" option to beat the test environments used by security researchers, and an option, as advertised, to make the ransomware program "self-deleting."
Instead of simply selling Thanos' software, Zagala allowed people to pay for it in two ways. First, a criminal could purchase a "license" to use the software for a certain period of time.
Thanos' software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled in order to confirm that the user had an active license.
Alternatively, a Thanos customer could join what Zagala called an "affiliate program," in which it provided user access to Thanos' builder in exchange for a portion of the proceeds from ransomware attacks.
Zagala received payment in both fiat currency and cryptocurrency, including Monero and Bitcoin.
Zagala advertised Thanos' software on various online forums frequented by cybercriminals, using screen names that referenced Greek mythology.
Zagala's two favorite nicknames were "Aesculapius," in reference to the ancient Greek god of medicine, and "Nosophoros," meaning "disease bearer" in Greek. In the program's public announcements, Zagala boasted that ransomware created with Thanos was nearly undetectable to antivirus programs and that "once encryption was done," the ransomware would "erase itself," making detection and recovery "nearly impossible" for the victim.
In private chats with customers, Zagala explained to them how to implement their ransomware products: how to design a ransom note, steal passwords from victims' computers, and set up a Bitcoin address for ransom payments.
Zagala explained to a client, talking about Jigsaw: "Victim 1 pays at the given btc [Bitcoin] address and decrypts their files," the lawsuit says.
Zagala also noted that "there is a punishment ... [if] the user restarts. For every repetition, it will punish you with 1000 deleted files." After Zagala explained all the features of the software, the customer replied, "Sir, I really need to say this ... You are the greatest developer of all time."
Zagala replied: "Thank you, it's good to hear. I am very flattered and proud."
Zagala only had one request: "If you have time and it's not too much of a problem for you, describe your experience with me" in an online review.
FBI Kicks In
On or about May 1, 2020, a confidential FBI human source (CHS-1) discussed joining Zagala's "affiliate program."
Zagala replied: "Not for now. Do not have stains. But Zagala offered to license the software at CHS-1 for $500 a month with "basic options" or $800 with "full options."
On or around October 7, 2020, CHS-1 asked Zagala how to set up an affiliate program of his own using Thanos. Zagala responded with a short tutorial on how to set up a ransomware computer.
The cardiologist explained that CHS-1 should find people "versed ... in LAN hacking" and provide them with a version of the Thanos ransomware that was scheduled to expire after a certain period of time.
Zagala said he personally had
"a maximum of between 10 and 20" affiliates at any given time, and "sometimes only 5."
He added that hackers approached him in search of his software after he had gained access to a victim's network:
"They come with access to [big] LAN, I check and then I accept [.] block several large networks and we wait... If you block networks without tape or cloud (backups), almost all of them pay."
Zagala further explained that sometimes a victim's network turned out to have an unexpected backup:
"So, it doesn't make sense to block it because they have backups, so in that case we just extract data," referring to the theft of the victim's information.
The lawsuit notes that the defendant added to his clients that he had an associate who "knows how to corrupt tapes," i.e., backups, and how to "disable AV," i.e., antivirus software.
Finally, Zagala offered to give CHS-1 an additional two weeks for free after CHS-1's one-month license expired, explaining that "because 1 month is very little for this business... sometimes you have to work hard to make a good profit."
Zagala customers rated their products favorably. One person posted a message praising Thanos in July 2020, writing "I bought the ransomware from nosophoros and it's very powerful" and claiming that he had used Zagala's ransomware to infect a network of about 3000 computers.
In December 2020, another user wrote a post in Russian:
"We have been working with this product for more than a month, we have a good profit! The best support I've ever met."
Zagala publicly discussed his knowledge that his clients used his software to commit ransomware attacks, including a link to a story about the use of Thanos by an Iranian state-sponsored hacking group to target Israeli businesses.
Around November 2021, Zagala was still using a third screen name: "Nebuchadnezzar." In chats, with a second confidential FBI source (CHS-2), Zagala stated that he had changed aliases to preserve the "OPSEC... operational security" because "malware analysts are on me."
On or about May 3, 2022, law enforcement agents conducted a voluntary interview with a relative of Zagala who resides in Florida and whose PayPal account was used by Zagala to receive illicit proceeds.
The individual confirmed that Zagala resides in Venezuela and had trained in computer programming in a self-taught manner. The subject also showed the agents, Zagala's contact information on his phone that matched the email registered for the malicious infrastructure associated with Thanos' malware.
If convicted, the defendant faces up to five years in prison for attempted computer intrusion and five years in prison for conspiracy to commit computer intrusions.
This case is being handled by the Homeland Security and Cybercrime Section.
Assistant U.S. Attorneys David K. Kessler and Alexander F. Mindlin are in charge of the indictment.