[BreachExchange] Hacker And Ransomware Designer Charged For Use And Sale Of Ransomware, And Profit Sharing Arrangements With Cybercriminals

[Matthew Wheeler]

https://www.shorenewsnetwork.com/2022/05/16/hacker-and-ransomware-designer-charged-for-use-and-sale-of-ransomware-and-profit-sharing-arrangements-with-cybercriminals/

A criminal complaint was unsealed today in federal court in Brooklyn, New
York, charging Moises Luis Zagala Gonzalez (Zagala), also known as
“Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and
Venezuela who resides in Venezuela, with attempted computer intrusions and
conspiracy to commit computer intrusions.  The charges stem from Zagala’s
use and sale of ransomware, as well as his extensive support of, and profit
sharing arrangements with, the cybercriminals who used his ransomware
programs.

Breon Peace, United States Attorney for the Eastern District of New York,
and Michael J. Driscoll, Assistant Director-in-Charge, Federal Bureau of
Investigation, New York Field Office (FBI), announced the charges.

“As alleged, the multi-tasking doctor treated patients, created and named
his cyber tool after death, profited from a global ransomware ecosystem in
which he sold the tools for conducting ransomware attacks, trained the
attackers about how to extort victims, and then boasted about successful
attacks, including by malicious actors associated with the government of
Iran,” stated United States Attorney Peace.  “Combating ransomware is a top
priority of the Department of Justice and of this Office.  If you profit
from ransomware, we will find you and disrupt your malicious operations.”

“We allege Zagala not only created and sold ransomware products to hackers,
but also trained them in their use. Our actions today will prevent Zagala
from further victimizing users. However, many other malicious criminals are
searching for businesses and organizations that haven’t taken steps to
protect their systems – which is an incredibly vital step in stopping the
next ransomware attack,” stated Assistant Director-in-Charge Driscoll.

As charged in the criminal complaint, Zagala, a 55-year-old cardiologist
who resides in Ciudad Bolivar, Venezuela, has designed multiple ransomware
tools—malicious software that cybercriminals use to extort money from
companies, nonprofits and other institutions, by encrypting those files and
then demanding a ransom for the decryption keys.  Zagala sold or rented out
his software to hackers who used it to attack computer networks.

One of Zagala’s early products, a ransomware tool called “Jigsaw v. 2,”
had, in Zagala’s description, a “Doomsday” counter that kept track of how
many times the user had attempted to eradicate the ransomware.  Zagala
wrote: “If the user kills the ransomware too many times, then its clear he
won’t pay so better erase the whole hard drive.”

Beginning in late 2019, Zagala began advertising a new tool online—a
“Private Ransomware Builder” he called “Thanos.”  The name of the software
appears to be a reference to a fictional cartoon villain named Thanos, who
is responsible for destroying half of all life in the universe, as well as
a reference to the figure “Thanatos” from Greek mythology, who is
associated with death.  The Thanos software allowed its users to create
their own unique ransomware software, which they could then use or rent for
use by other cybercriminals.  The user interface for the Thanos software is
shown below:[1]



The screenshot shows, on the right-hand side, an area for “Recovery
Information,” in which the user can create a customized ransom note.  Other
options include a “data stealer” that specifies the types of files that the
ransomware program should steal from the victim computer, an “anti-VM”
option to defeat the testing enviornments used by security researchers, and
an option, as advertised, to make the ransomware program “self-delete.”

Rather than simply sell the Thanos software, Zagala allowed individuals to
pay for it in two ways.  First, a criminal could buy a “license” to use the
software for a certain period of time.  The Thanos software was designed to
make periodic contact with a server in Charlotte, North Carolina that
Zagala controlled for the purpose of confirming that the user had an active
license.[2]  Alternatively, a Thanos customer could join what Zagala called
an “affiliate program,” in which he provided a user access to the Thanos
builder in exchange for a share of the profits from Ransomware attacks.
Zagala received payment both in fiat currency and cryptocurrency, including
Monero and Bitcoin.

Zagala advertised the Thanos software on various online forums frequented
by cybercriminals, using screennames that referred to Greek mythology.  His
two preferred nicknames were “Aesculapius,” referring to the ancient Greek
god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek.  In
public advertisements for the program, Zagala bragged that ransomware made
using Thanos was nearly undetectable by antivirus programs, and that “once
encryption is done,” the ransomware would “delete itself,” making detection
and recovery “almost impossible” for the victim.

In private chats with customers, Zagala explained to them how to deploy his
ransomware products—how to design a ransom note, steal passwords from
victim computers, and set a Bitcoin address for ransom payments.  As Zagala
explained to one customer, discussing Jigsaw: “Victim 1 pays at the given
btc [Bitcoin] address and decrypts his files.”  Zagala also noted that
“there is a punishment… [i]f user reboots.  For every rerun it will punish
you with 1000 files deleted.”  After Zagala explained all the features of
the software, the customer replied: “Sir, I really need to say this . . .
You are the best developer ever.”  Zagala responded: “Thank you that is
nice to hear[.]  Im very flattered and proud.”  Zagala had only one
request: “If you have time and its not too much trouble to you please
describe your experience with me” in an online review.

On or about May 1, 2020, a confidential human source of the FBI (CHS-1)
discussed joining Zagala’s “affiliate program.”  Zagala responded: “Not for
now.  Don’t have spots.”  But Zagala offered to license the software to
CHS-1 for $500 a month with “basic options,” or $800 with “full options.”

On or about October 7, 2020, CHS-1 asked Zagala how to establish an
affiliate program of his own using Thanos.  Zagala responded with a short
tutorial on how to set up a ransomware crew.  He explained that CHS-1
should find people “versed…in LAN hacking” and supply them with a version
of the Thanos ransomware that was programmed to expire after a given period
of time.[3]  Zagala said that he personally had “a maximum of between
10-20” affiliates at a given time, and “sometimes only 5.”  He added that
hackers approached him for his software after they had gained access to a
victim network:  “they come with access to [b]ig LAN, I check and then I
accept[.]  they lock several big networks and we wait…If you lock networks
without tape or cloud (backups)[,] almost all pay[.]”

Zagala further explained that, sometimes, a victim network turned out to
have an unexpected backup: “so no point in locking because they have
backups, so in that case we only exfiltrate data,” referring to stealing
victim information.  Zagala further added that he had an associate who
“knows how to corrupt tapes,” meaning backups, and how to “disable[] AV,”
meaning antivirus software.  Finally, Zagala offered to give CHS-1 an
additional two weeks free after CHS-1’s one-month license expired,
explaining “because 1 month is too little for this business…sometimes you
need to work a lot to get good profit.”

Zagala’s customers favorably reviewed his products.  One individual posted
a message praising Thanos in July 2020, writing “i bought the ransomware
from nosophoros and it is very powerful,” and claiming that he had used
Zagala’s ransomware to infect a network of approximately 3000 computers.
And, in December 2020, another user wrote a post in Russian: “We have been
working with this product for over a month now, we have a good profit!
Best support I’ve met.”  Zagala has publicly discussed his knowledge that
his clients used his software to commit ransomware attacks, including by
linking to a news story about an Iranian state-sponsored hacking group’s
use of Thanos to attack Israeli companies.

In or around November 2021, Zagala began using a third screenname –
“Nebuchadnezzar.”  In chats with a second confidential source of the FBI
(CHS-2), Zagala stated that he had switched aliases to preserve “OPSEC…
operational security” because “malware analysts are all over me.”

On or about May 3, 2022, law enforcement agents conducted a voluntary
interview of a relative of Zagala who resides in Florida and whose PayPal
account was used by Zagala to receive illicit proceeds.  The individual
confirmed that Zagala resides in Venezuela and had taught himself computer
programming.  The individual also showed agents contact information for
Zagala in his phone that matched the registered email for malicious
infrastructure associated with the Thanos malware.

If convicted, the defendant faces up to five years’ imprisonment for
attempted computer intrusion, and five years’ imprisonment for conspiracy
to commit computer intrusions.

The government’s case is being handled by the Office’s National Security
and Cybercrime Section.  Assistant United States Attorneys David K. Kessler
and Alexander F. Mindlin are in charge of the prosecution.

The Defendant:

MOISES LUIS ZAGALA GONZALEZ

Age:  55

Ciudad Bolivar, Venezuela

E.D.N.Y. Docket No. 21-M-276
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220517/bed744cd/attachment.html>