It has been said that a Venezuelan cardiologist turned alleged malware developer has been charged with masterminding the Thanos ransomware builder.
As per US criminal complaint unsealed May 16 2022, Moises Luis Zagala Gonzales, 55 years of age and a citizen of France and Venezuela is engaged in attempted computerintrusions and conspiracy to commit computer intrusions.
According to the complaint, Zagala has allegedly sold and leased ransomware packages that he himself developed to cybercriminals.
The interesting part is that he is also being accused of facilitating training for whoever buys his ransomware to be able to use it and how to successfully extort victims.
Zagala taught himself how to code and on his spare time developed several ransomware tools, malicious packages designed to encrypt files on a compromised system. Once said and done, demands payment in exchange for a decryption key.
Ransomware tool ‘Jigsaw v.2’ was also his brainchild before he ended up designing Thanos ransomware builder.
According to the DoJ, the name Thanos might be a reference to the Marvel supervillain or the figure ‘Thanatos’ from Greek mythology.
Exactly how does Thanos work? The Thanos platform could be used to create customized ransomware campaigns with custom-tailored ransomware notes thus confusing security researchers. It also features a “data stealer” that can be utilized to extract files from a compromised system.
He allegedly made profits by making it a ransomware-as-a-service (RAAS), thus licensing his software to cybercriminals and obtaining payments in fiat currencies or cryptocurrencies.
It was relatively easy to obtain his products since he advertised and marketed it through online forums which are frequently visited by cybercriminals.
‘A number of OpSec mistakes allowed investigators to identify Zagala as a suspect’, as per DoJ.
How did they find him? It was through an undercover agent who allegedly bought a licence for Thanos from Zagala and downloaded the software last September 2020. The agent allegedly spoke with Zagala about the possibility of establishing an affiliate program using Thanos, according to the DoJ filing.
It is said that Zagala has publicly boasted about how an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.
Thanos was designed to periodically make contact with a server in Charlotte, North Carolina. The main purpose is to check on licenses and somehow it got linked back to Zagala.
He has relatives in Florida that was interviewed by law enforcement last May 3, 2022 and somehow admitted that their paypal account was used by Zagala to receive funds.
The relative used an email address to contact Zagala. The said email is a registered email for malicious infrastructure associated with the Thanos malware.
As of this writing, there is no info on how much money he was able to make from the Thanos ransomware builder. If convicted, he will face up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.
Nowadays, malware and ransomware makers are not the typical hackers. It does not limit age, profession, educational background. It can be anybody. Better be safe than sorry. Think before you click.