The U.S. Justice Department on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit sharing arrangements.
Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the ransomware to other cybercriminals to facilitate the intrusions and get a share of the bitcoin payment.
If convicted, Zagala faces up to five years' imprisonment for attempted computer intrusion, and five years' imprisonment for conspiracy to commit computer intrusions.
"The multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran," U.S. attorney Breon Peace said.
The ransomware-as-a-service (RaaS) scheme involved encrypting files belonging to companies, non-profit entities, and other institutions, and then demanding a ransom in exchange for the decryption key.
At its core, Thanos is a private ransomware builder that allows its purchasers (aka affiliates) to create their own custom ransomware software, which they could then use or lease it to other actors, effectively widening the scope of the attacks.
An analysis by Recorded Future in June 2020 revealed that the builder comes with 43 different configuration options, calling it the first ransomware family to leverage the RIPlace technique to bypass ransomware protection features built into Windows 10.
Some of the options available include the ability to modify the ransom notes, specify the list of file types to be exfiltrated prior to encryption, and settings to evade detection and self-delete the ransomware after execution.
Zagala is believed to have advertised the software on darknet cybercrime forums for $500 a month with "basic options" or $800 with "full options," while also recruiting affiliates for the RaaS program.
"On or about May 1, 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagala's 'affiliate program,'" the DoJ said. "Zagala responded: 'Not for now. Don't have spots," before proceeding to license the software to CHS-1 and helping the informant with tutorials on how to use the software and set up an affiliate crew.
Zagala, who received favorable reviews for his ransomware tools, was ultimately traced on May 3, 2022, after identifying a PayPal account belonging to his relative who resides in the U.S. state of Florida and which was used to obtain the illicit proceeds.
"The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming," the DoJ said.