NetworkTigers discusses what Thanos malware, Nosophoros, Aesculapius and Nebuchadnezzar have in common.
Nosophoros is Greek for “disease-bringer.” Aesculapius is an ancient god of medicine. Nebuchadnezzar was a biblical king who ransacked and pillaged the city of Judah before supposedly succumbing to seven years of madness.
These three names all refer to a 55 year old cardiologist. This particular doctor, however, has been accused by the Department of Justice as the criminal mastermind behind the dreaded Thanos malware, which was used by Russian actors, Iranian state-sponsored hacking groups, and others to infect and hold hostage scores of victims’ online systems. Allegedly, he used these three pseudonyms in order to market his own unique ransomware generator, training legions of cybercriminals into hijacking their way onto host computers.
What is Thanos?
Back in 2019, a new threat was detected in the cyber landscape. Advertisements were placed on the dark web for a “private ransomware builder”, according to newly released Department of Justice reports. This software was essentially a streamlined, simplified user interface that could be used to create new and personalized kinds of ransomware. These original ransomwares could then be deployed by their inventors, or sold to other hackers and cybercriminals.
What is behind the name Thanos?
The name Thanos is believed to be a reference to both the cartoon supervillain Thanos from the Marvel universe, as well as the Greek god of death Thanatos. The labeling is closely connected to the grandiose aliases, often drawn from Greek mythology, that were commonly used by its creator.
How does Thanos work?
Thanos is impossible to mistake for anything other than a user-friendly malware creation tool. One side was designed for inputting “Recovery Information”, or terms of the desired ransom. To the other side was a series of options that the builder could specify, including programming such as:
- Data stealer: Malware designed to specify what kinds of files should be targeted, once the software had been uploaded onto the host computer.
- Anti VM: A designation created to avoid or circumvent common kinds of tracking and testing used by cybersecurity experts.
- Self-delete: One of the more insidious features of the Thanos ransomware builder is its capacity to self-delete. Once the malware had finished infiltrating the victim’s host computer, it was designed to delete itself off of the network. This made both tracing the ransomware back to the source, as well as recovering infected files, nearly impossible for those who were targeted. Even when ransoms were paid, Thanos ransomwares were especially devious due to this ability to infest, infect, and then disappear, bringing tainted files with it.
Cybercriminals, Bitcoin, and the Thanos ransomware builder
Another element that made Thanos so unique in the world of dark web activity was the fact that it largely ran on a subscription model. Hackers and even state-sponsored cyber criminals could pay a recurring licensing fee in order to access the ransomware engine. Alternatively, they were invited to join what was known as an “affiliate program”, or a larger hacking ring. Payments then were made as a percentage of shared profits from the spoils of their invasions. Payments were usually made in cyber currency minted on encrypted networks, such as Monero and Bitcoin.
Notable Thanos hacks
In July of 2020, Palo Alto cybersecurity reports cited two attacks on state networks in North Africa and the Middle East. Cybersecurity experts pinpointed the threat as malware designed by the Thanos system, which infected official networks and requested $20,000 in Bitcoin as ransom. LIke the equally concerning Petya malware, Thanos viruses were designed to overwrite MBR, or Master Boot Record in a computer’s hard drive, in order to communicate the ransom message. This kind of programming is considered especially destructive due to the difficulty of recovering overwritten and infected files, even in the event that a ransom be paid by the target. MBR will still often be destroyed in the initial attack.
Palo Alto identified over 130 different kinds of Thanos creations that were sourced to unique ransomware attacks in the past three years. Many of these malwares were available freely on the internet, via open source coding. Others were deployed via phishing emails, often sent to employees of large companies.
Another iteration of Thanos, known as “Jigsaw v. 2”, was also supposedly created by the same cybercriminal. This “doomsday device” was designed to keep track of how many attempts were made to remove or uninstall files infected with malware. If too many efforts were made to clear the cache or reboot, Jigsaw v. 2 would automatically take steps to erase the victim’s entire hard drive, under the assumption that they were not likely to pay the requested ransom. For every attempt made to delete the virus, Jigsaw v. 2 was said to delete 1,000 files as punishment.
International cyber criminal activity
The spread of Thanos cannot be overstated, from Russian hackers to Iranian state-sponsored agents known as “MuddyWater” who allegedly used Thanos in order to attack Israeli targets. Rave reviews about Thanos’s capabilities and efficacy were posted all across the internet. Access to Thanos was eventually traced back to a server in North Carolina, which verified that hackers who used or downloaded the ransomware builder had in fact subscribed to the service, or were part of the affiliate program and regularly paid their dues.
Who is the cybercriminal mastermind behind Thanos?
The leader of this shadowy cabal should be equally fearsome, a hacking wizard capable of inventing one of the most devastating innovations in ransomware of the late 2000s. Few would expect that the mastermind behind Thanos has been revealed to be a 55 year old doctor, Moises Luis Zagala Gonzalez. Zagala, who is of French and Venezuelen descent, currently lives in Ciudad Bolivar, Venezuela, and was described by a relation of his as a self-taught programmer who used Paypal to collect the proceeds of his doomsday devices. In addition to his cybercriminal activities, Zagala is also a cardiologist.
Charges against Zagala were brought by the Eastern District of New York and the FBI on Monday, May 16 2022. United States Attorney Breon Peace summarized about the case, “As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran.”
What will happen in the case against Zagala and the Thanos builder?
If tried and found guilty in the US, Zagala faces up to 5 years in prison for each count of which he may be convicted. In the short term, the FBI and Justice Department hope that uncovering the hacking network can help deter future cybercriminals from joining in, as well as shed light on cybersecurity practices designed to avoid and address the threat of Thanos ransomware.
In the meantime, protect your networks and business from invasion and intrusion by taking several key steps to train employees and upgrade systems. While the mastermind behind Thanos may have been stopped, there is no guarantee that future evolutions from the ransomware generator he created can be entirely ruled out as risks in the future. Cybersecurity continues to be of paramount importance in today’s digital landscape.
- Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals | USAO-EDNY | Department of Justice
- Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
- US names and shames Venezuelan doctor as notorious ransomware maker | TechCrunch
- Iranian state hacker group linked to ransomware deployments | ZDNet
- Cardiologist accused of designing ransomware and selling it to cybercriminals