Heart doctor and self-taught cybercriminal created and distributed ransomware.
According to the U.S. Department of Justice (DOJ), 55-year-old cardiologist Dr. Moises Luis Zagala Gonzalez MD, of New York, has been charged with creating and distributing ransomware equipped with a “doomsday clock” and sharing in profits from attacks. Zagala also goes by the names “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar.” He is a citizen of France and Venezuela and currently lives in Ciudad Bolivar, Venezuela.
U.S. authorities have alleged that in 2019 the cardiologist began marketing a new online tool he created, a “Private Ransomware Builder” named “Thanos.” He likely named the ransomware after the fictional character Thanos, who is responsible for destroying half of all life in the universe, as well as “Thanatos” from Greek mythology, who is associated with death. Users of the illicit software can access “Recovery Information,” which allows them to build a customized ransom note, distribute it to victims and set up an account to receive Bitcoin payments. They can also use the “data stealer” which allows them to steal certain files from victims once a computer is infected, or an “anti-VM” option to defeat security protocols. The software also allows users to create their own versions for personal use or to rent to other cybercriminals.
Moreover, Zagala created a ransomware tool, called “Jigsaw v. 2,” which included a doomsday counter which kept track of how many times a victim tried to remove the ransomware from a PC. “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” Zagala wrote to his customers. The program comes with a self-delete option to do just this. The name “Jigsaw” may refer to the mastermind behind the sadistic games in the Saw movies.
Breon Peace, U.S. attorney for the Eastern District of New York, said, “As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran.”
Michael J. Driscoll, assistant director in charge of the Federal Bureau of Investigations (FBI)’s New York Field Office, added, “We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems, which is an incredibly vital step in stopping the next ransomware attack.”
In its press release, the DOJ states, “Zagala’s customers were happy with his products. In a message posted in July 2020, one user said the ransomware was ‘very powerful’ and claimed that he had used it to infect a network of roughly 3000 computers.” In December 2020, according to the agency, another user wrote, “We have been working with this product for over a month now, we have a good profit! Best support I’ve met.”
After speaking with one of Zagala’s relatives in Florida, federal agents said they believe the doctor taught himself computer programming. Although he is still in Venezuela, he faces up to a decade behind bars if captured and brought back to the U.S.