The U.S. Justice Department on Monday accused a 55-year-old
cardiologist from Venezuela of being the mastermind behind Thanos ransomware[1], charging him with the
use and sale of the malicious tool and entering into profit sharing
arrangements.
Moises Luis Zagala Gonzalez, also known by the monikers
Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have
both developed and marketed the ransomware to other cybercriminals
to facilitate the intrusions and get a share of the bitcoin
payment.
If convicted, Zagala faces up to five years’ imprisonment for
attempted computer intrusion, and five years’ imprisonment for
conspiracy to commit computer intrusions.
“The multi-tasking doctor treated patients, created and named his cyber
tool after death[2], profited from a global
ransomware ecosystem in which he sold the tools for conducting
ransomware attacks, trained the attackers about how to extort
victims, and then boasted about successful attacks, including by
malicious actors associated with the government of Iran,” U.S.
attorney Breon Peace said[3].
The ransomware-as-a-service (RaaS) scheme involved encrypting
files belonging to companies, non-profit entities, and other
institutions, and then demanding a ransom in exchange for the
decryption key.
At its core, Thanos is a private ransomware builder that allows
its purchasers (aka affiliates) to create their own custom
ransomware software, which they could then use or lease it to other
actors, effectively widening the scope of the attacks.
An analysis[4]
by Recorded Future in June 2020 revealed that the builder comes
with 43 different configuration options, calling it the first
ransomware family to leverage the RIPlace[5]
technique[6]
to bypass ransomware protection features built into Windows 10.
Options available include the ability to modify the ransom
notes, specify the list of file types to be exfiltrated prior to
encryption, and settings to evade detection and self-delete the
ransomware after execution.
Zagala is believed to have advertised the software on darknet
cybercrime forums for $500 a month with “basic options” or $800
with “full options,” while also recruiting affiliates for the RaaS
program.
“On or about May 1, 2020, a confidential human source of the FBI
(CHS-1) discussed joining Zagala’s ‘affiliate program,'” the DoJ
said. “Zagala responded: ‘Not for now. Don’t have spots,” before
proceeding to license the software to CHS-1 and helping the
informant with tutorials on how to use the software and set up an
affiliate crew.
Zagala, who received favorable reviews for his ransomware tools,
was ultimately traced on May 3, 2022, after identifying a PayPal
account belonging to his relative who resides in the U.S. state of
Florida and which used to obtain the illicit proceeds.
“The individual confirmed that Zagala resides in Venezuela and
had taught himself computer programming,” the DoJ said.
References
Read more https://thehackernews.com/2022/05/us-charges-venezuelan-doctor-for-using.html