The US Attorney’s Office is charging a Venezuelan cardiologist with attempted computer intrusions and conspiracy to commit computer intrusions. The charges stem from his use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.
“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” stated United States Attorney Peace.
As charged in the criminal complaint, the cardiologist has designed multiple ransomware tools. He sold or rented out his software to those who used it to attack computer networks.
One of his early products, a ransomware tool called “Jigsaw v. 2,” had a “Doomsday” counter that kept track of how many times the user had attempted to eradicate the ransomware. The defendant wrote: “If the user kills the ransomware too many times, then its clear he won’t pay so better erase the whole hard drive.”
Beginning in late 2019, the doctor began advertising a new tool online—a “Private Ransomware Builder” he called “Thanos.” The name of the software appears to be a reference to a fictional cartoon villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the figure “Thanatos” from Greek mythology, who is associated with death. The Thanos software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals.
The user interface for the Thanos software
The screenshot shows, on the right-hand side, an area for “Recovery Information,” in which the user can create a customized ransom note. Other options include a “data stealer” that specifies the types of files that the ransomware program should steal from the victim computer, an “anti-VM” option to defeat the testing enviornments used by security researchers, and an option, as advertised, to make the ransomware program “self-delete.”
The defendant advertised the Thanos software on various online forums. In public advertisements for the program, the author bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim.
If convicted, the defendant faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.