hacker and ransomware designer charged with using and selling ransomware and profit-sharing deals with cybercriminals | USAO-EDNY
A criminal complaint was unsealed today in federal court in Brooklyn, New York, charging Moises Luis Zagala Gonzalez (Zagala), also known as ‘Nosophoros’, ‘Asculapius’ and ‘Nebuchadnezzar’, a French and Venezuelan citizen residing in Venezuela, with attempted computer intrusion and conspiracy to commit computer intrusions. The charges stem from Zagala’s use and sale of ransomware, as well as its extensive support and profit-sharing agreements with cybercriminals who used its ransomware programs.
Breon Peace, United States Attorney for the Eastern District of New York, and Michael J. Driscoll, Deputy Director in Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the charges.
“As alleged, the multitasking doctor treated patients, created and named his cyber tool after death, took advantage of a global ransomware ecosystem in which he sold the tools to carry out ransomware attacks, trained the attackers on how to extort victims and then bragged about successful attacks, including by malicious actors associated with the Iranian government,” the U.S. peace attorney said. is a top priority of the Department of Justice and this Bureau.If you profit from ransomware, we will find you and disrupt your malicious operations.
“We allege that Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are looking for companies and organizations that have failed to take steps to protect their systems – which is an extremely vital step in stopping the next ransomware attack,” said Deputy Director in Charge Driscoll.
As charged in the criminal complaint, Zagala, a 55-year-old cardiologist residing in Ciudad Bolivar, Venezuela, designed several ransomware tools, malicious software that cybercriminals use to extort money from companies, organizations nonprofits and other institutions, by encrypting these files. then demand ransom for decryption keys. Zagala sold or rented its software to hackers who used it to attack computer networks.
One of Zagala’s first products, a ransomware tool called “Jigsaw v. 2”, had a “Doomsday” counter in the Zagala description that kept track of the number of times the user attempted to eradicate ransomware. Zagala wrote, “If the user kills the ransomware too many times, then clearly they won’t pay, so better wipe the entire hard drive.
Starting in late 2019, Zagala began advertising a new online tool, a “Private Ransomware Builder” which he called “Thanos”. The software’s name appears to be a reference to a fictional cartoon villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the “Thanatos” figure from mythology. Greek, which is associated with death. The Thanos software allowed its users to create their own unique ransomware, which they could then use or rent for use by other cybercriminals. The Thanos software user interface is shown below:
The screenshot shows, on the right side, a “Recovery Information” area, where the user can create a personalized ransom note. Other options include a “data stealer” which specifies the types of files the ransomware program should steal from the victim computer, an “anti-VM” option to defeat test environments used by security researchers, and a option, as advertised, to make the ransomware program “self-remove”.
Rather than just selling the Thanos software, Zagala allowed individuals to pay for it in two ways. First, a criminal could purchase a “license” to use the software for a certain period of time. The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled in an effort to confirm that the user had an active license. Alternatively, a Thanos customer could join what Zagala called an “affiliate program,” in which they provided a user with access to Thanos’ builder in exchange for a share of the profits from Ransomware attacks. Zagala received payment in both fiat and cryptocurrency, including Monero and Bitcoin.
Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screen names referencing Greek mythology. His two favorite nicknames were “Asculapius”, referring to the ancient Greek god of medicine, and “Nosophoros”, which means “disease carrier” in Greek. In public advertisements for the program, Zagala boasted that ransomware created using Thanos was almost undetectable by antivirus programs, and that “once the encryption was done” the ransomware would “wipe out”, making detection and recovery “almost impossible” for the victim.
In private chats with clients, Zagala told them how to deploy his ransomware products, how to design a ransom note, steal passwords from victims’ computers, and set a Bitcoin address for ransom payments. As Zagala explained to a client, discussing Jigsaw: “Victim 1 pays the given btc [Bitcoin] addresses and decrypts its files. Zagala also noted that “there is a punishment… [i]f the user restarts. For each rerun it will punish you with 1000 deleted files. After Zagala explained all the features of the software, the client replied, “Sir, I really need to say this… You are the best developer ever. Zagala replied, “Thank you, that’s nice to hear[.] I am very flattered and proud. Zagala had only one request: “If you have the time and it’s not too much trouble, please describe your experience with me” in an online review.
On or about May 1, 2020, a confidential FBI human source (CHS-1) discussed joining Zagala’s “affiliate program.” Zagala replied, “Not at the moment. Have no spots. But Zagala offered to license the software to CHS-1 for $500 per month with “basic options” or $800 with “full options”.
On or about October 7, 2020, CHS-1 asked Zagala how to establish his own affiliate program using Thanos. Zagala responded with a short tutorial on how to set up a ransomware team. He explained that CHS-1 should find people who are “adept… in LAN hacking” and provide them with a version of Thanos ransomware that is scheduled to expire after a given period of time. Zagala said he personally has “a maximum of 10-20” affiliates at any given time, and “sometimes only 5”. He added that the hackers approached him for his software after gaining access to a network of victims: “They come with access to [b]ig LAN, I check then I accept[.] they lock down several large networks and we wait… If you lock down networks without band or cloud (backups)[,] almost all pay[.]”
Zagala further explained that sometimes a victim network turned out to have an unexpected backup: “so no need to lock down because they have backups, so in this case we are just exfiltrating data”, referring to the theft of information about the victim. Zagala further added that he has an associate who “knows how to corrupt tapes”, i.e. backups, and how to “disable AV”, i.e. anti-virus software. Finally, Zagala offered to give CHS-1 an additional two weeks free after CHS-1’s one-month license expired, explaining “because one month is too little for this company. .sometimes you have to work a lot to get a good profit”.
Zagala’s customers have rated its products favorably. An individual posted a message praising Thanos in July 2020, writing “I bought the ransomware from nosophoros and it is very powerful”, and claiming that he used the ransomware from Zagala to infect a network of about 3000 computers. And, in December 2020, another user wrote a post in Russian: “We have been working with this product for more than a month now, we have a good profit! The best support I have encountered. Zagala has publicly stated that he knows his clients are using his software to carry out ransomware attacks, including linking to a news report about the use of Thanos by an Iranian state-sponsored hacking group to attack people. Israeli companies.
In or around November 2021, Zagala began using a third screen name – “Nebuchadnezzar”. In discussions with a second confidential FBI source (CHS-2), Zagala said he changed his alias to preserve “OPSEC…operational security” because “malware analysts are all over me.”
On or about May 3, 2022, law enforcement officers conducted a voluntary interview with a relative of Zagala who resides in Florida and whose PayPal account was used by Zagala to receive illicit proceeds. The individual confirmed that Zagala resides in Venezuela and learned computer programming. The individual also showed contact information for Zagala agents on his phone which matched the registered email for the malicious infrastructure associated with the Thanos malware.
If found guilty, the accused faces up to five years in prison for attempted computer intrusion and five years in prison for conspiracy to commit computer intrusions.
The government’s case is being handled by the Bureau’s National Security and Cybercrime Section. Assistant United States Attorneys David K. Kessler and Alexander F. Mindlin are charged with the prosecution.
MOSES LUIS ZAGALA GONZALEZ
Ciudad Bolivar, Venezuela
EDNY File #21-M-276
 On September 14, 2020, an FBI agent surreptitiously purchased a license for Thanos from Zagala and downloaded the software.
 This server has been taken offline.
 “LAN” stands for “local area network” and refers to a computer network that interconnects computers in a limited area such as an office building.