US Justice Department charges a doctor for selling Thanos ransomware

US DoJ links Thanos ransomware and Jigsaw ransomware development to the cardiologist from Venezuela

Cardiologist indicted for Jigsaw and Thanos ransomware creation and distribution

Justice Department charges the alleged creator and distributor of the dangerous ransomware. The 55-year-old cardiologist from Venezuela was accused of being the mastermind behind the Thanos ransomware.^[1] The indictment lists that the Justice Department wants to charge him with the use and sale of the ransomware tool and entering into profit-sharing arrangements.^[2]

The agency claims that a doctor with French and Venezuelan citizenship from Ciudad Bolivar in Venezuela created and then rented the Jigsaw and Thanos to other cybercriminals. The criminal not only created and distributed the malware but trained the purchasing hackers in the use of this malicious program.^[3]

As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks.

Moises Luis Zagala Gonzales, aka Nosophorors, Aesculapius, Nebuchadnezzar, offered support for the cybercriminals who bought the malware and shared their profits after ransomware attacks. These attacks were held worldwide because the threat was used by various threat actor groups, including the malicious actors associated with the government of Iran.

Developer of two major ransomware strains

Jigsaw ransomware^[4] is the infection that has a Doomsday counter that deletes a number of files from the particular drives of affected devices. It does that every hour until the initial ransom amount gets paid. After each reset, the number of deleted files increases. This threat has not been active since the fall of 2021, and it was not very active, but ransomware was a damaging threat. Right now, there is a decryptor tool for the particular family.

Thanos ransomware is the ransomware-as-a-service named, as researchers say, after death.^[5] This tool is advertised on various Russian-speaking hacker forums, and it allows affiliates to customize the ransomware using the builder that is also offered by the same creator. These samples were not discovered since February 2022, and the ransomware builder was leaked on VirusTotal back in June 2021.

Zagala initiated the affiliate program where cybercriminals shared their profits with the developer. He also licensed the Thanos malware using the licensing server and hosted that in Charlotte, North Carolina. This ransomware was named the first family leveraging the RIPlace technique that allows bypassing the protection features built into Windows 10.^[6]

Software advertised and sold online with different options

The particular ransomware builder has 43 options for configuration, and those include the ability to alter ransom notes and the list of file types that can be exfiltrated prior to the file encryption. Other settings related to detection avoidance and self-deletion of the ransomware can be altered.

Zagala advertised the malware on darknet cybercrime forums for $500 a month with basic options and for $800 with full options for a month. These forums were the place where the developer found the affiliates for this RaaS program. The attacker was initially traced on May 3rd, 2022 when the PayPal account was identified as belonging to his relative in the US. This account was used to receive payments from victims and other profits from the affiliate crew.

As researchers say, Zagala resides in Venezuela and learned all these functions, computer programming, and hacking himself. If fully convicted, Zagala may face up to five years of imprisonment for the attempted computer intrusion and additional five years for conspiracy to commit device intrusions.