Moisés Luis Zagala González, who operated under the nicknames “Nosophoros”, “Aesculapius” and “Nebuchadnezzar”, is accused of attempted computer intrusion and conspiracy to commit computer intrusions.
According to the complaint made public Monday by the federal court in Brooklyn, New York, the charges stem from Zagala’s use and sale of ransomware, as well as its extensive support and profit-sharing agreements with cybercriminals who used its ransomware programs.
Breon Peace, United States Attorney for the Eastern District of New York, and Michael J. Driscoll, Deputy Director in Charge of the Federal Bureau of Investigation, New York Field Office (FBI), announced the charges as follows : “This multifaceted doctor allegedly treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem where he sold the tools to carry out ransomware attacks, trained attackers on how to extort money from victims, and then boasted of successful attacks, including by malicious actors associated with the government of Iran. The fight against ransomware is one of the main priorities of the Branch of Justice and this Office of the Attorney General. Provided you benefit from ransomware, we will find you and disrupt your malicious operations.”
The document adds: “We accuse Zagala of not only having created and sold ransomware products to hackers, but also of having trained them in their use. Our actions today will prevent Zagala from finding victims. However, numerous other malicious criminals are looking for companies and organizations that haven’t taken steps to protect their systems, which is an incredibly vital step in stopping the next ransomware attack.”
According to the criminal complaint, Zagala, a 55-year-old cardiologist residing in Ciudad Bolívar, Venezuela, has designed multiple ransomware tools. Zagala sold or rented his software to hackers who used it to attack computer networks.
One of Zagala’s first products, a ransomware tool called “Jigsaw v. 2”, had, according to Zagala’s own description, a “Doomsday” counter that kept track of how many times the user had tried to eradicate the ransomware. Zagala wrote: “If the user tries to kill the ransomware too many times, then it is clear that he is not going to pay, so better erase the entire tough drive.”
Starting in late 2019, Zagala began advertising a new tool online: a “Private Ransomware Builder” that he called “Thanos.” The name of the software appears to be a reference to a fictional cartoon villain named Thanos, who was responsible for the destruction of half of life in the universe, as well as a reference to the figure “Thanatos” from Greek mythology, who associate with death. Thanos software allowed its users to create their own unique ransomware, which they could then use or rent for use by other cybercriminals.
Instead of just selling Thanos software, Zagala allowed individuals to pay for it in two ways. First, a crook could buy a “license” to use the software for a sure period of time. The Thanos software was designed to periodically contact a server in Charlotte, North Carolina that Zagala controlled in order to confirm that the user had an active license. Alternatively, a Thanos client could join what Zagala called an “affiliate program,” providing the user with access to the Thanos builder in exchange for a share of the profits from the ransomware attacks. Zagala received payment in both fiat currency and cryptocurrencies, including Monero and Bitcoin.
Zagala advertised Thanos software on various online forums frequented by cybercriminals, using usernames that referenced Greek mythology. His two favorite nicknames were “Aesculapius”, referring to the ancient Greek god of medicine, and “Nosophoros”, which means “diseases carrier” in Greek. In public announcements for the program, Zagala boasted that the Thanos-created ransomware was almost undetectable by antivirus programs, and that “once encrypted,” the ransomware “erased itself,” making detection and recovery much easier. were “almost impossible” for the victim.
In private chats with clients, Zagala explained how to deploy his ransomware products: how to craft a ransom note, steal passwords from victims’ computers, and set up a Bitcoin address for ransom payment. As Zagala explained to a client, speaking of Jigsaw: “Victim 1 pays at the indicated btc [Bitcoin] address and decrypts their files.” Zagala also famous that “there is a penalty…[i]f the user reboots. For each reboot it will punish you with 1000 deleted files. After Zagala explained all the features of the software, the customer replied “Sir, I really need to say this… You are the best developer ever.” Zagala responded: «Thank you, it’s a pleasure to hear it[.] I feel very flattered and proud». Zagala had only one request: “If you have time and it’s not too much trouble, please describe your experience with me” in an online review.
On or about May 1, 2020, an FBI Confidential Human Source (CHS-1) spoke of joining Zagala’s “affiliate program.” Zagala replied: “Not for now. I don’t have seats.” But Zagala offered to license the software to CHS-1 for $500 a month with “basic options,” or $800 with “full options.”
On or around October 7, 2020, CHS-1 asked Zagala how to establish an affiliate program of his own using Thanos. Zagala responded with a short tutorial on how to set up a ransomware team. He explained that CHS-1 was to find people “well versed… in LAN hacking” and supply them with a version of the Thanos ransomware that was scheduled to expire after a set period of time. Zagala said that he personally had “a maximum of between 10 and 20” affiliates at any given time, and “sometimes only 5.” He added that hackers approached him for his software after gaining access to a victim’s network: “They come with LAN access, I check and then agree. They block several large networks and we hope… If you block networks without tape or cloud (backups), nearly everyone pays.”
Zagala further explained that sometimes a victim network turned out to have an unforeseen backup: “so there is no point in blocking because they have backups, so in that case we only exfiltrate data”, referring to the theft of victim information. . Zagala further added that he had a partner who “knows how to corrupt the tapes,” that is, the backups, and how to “turn off antivirus.” Lastly, Zagala offered to give CHS-1 an extra two weeks for free after CHS-1’s one-month license expired, explaining “because one month is very little for this business…sometimes you have to work hard to receive it.” good benefits.”
Zagala even publicly bragged about his knowledge and that his clients used his software to commit ransomware attacks. He even posted a link to a news story about an Iranian state-sponsored hacker group using Thanos to attack Israeli businesses.
In or around November 2021, Zagala began using a third username: “Nebuchadnezzar.” In chats with a moment confidential FBI source (CHS-2), Zagala stated that he had changed aliases to preserve “OPSEC…operational security” because “malware analysts are on top of me.”
In early May this year, law enforcement officers conducted a voluntary interview with a relative of Zagala’s who resides in Florida and whose PayPal account was used by Zagala to receive ill-gotten gains. This person confirmed that Zagala resided in Venezuela and had taught himself computer programming. The individual also showed agents contact information for Zagala on his phone that matched the email on dossier for the malicious infrastructure associated with the Thanos malware.
Provided convicted, the defendant faces up to five years in prison for attempted computer intrusion and five years in prison for conspiracy to commit computer intrusion.