A cardiologist and alleged hacker and ransomware developer has been named in a criminal complaint filed in federal court in Brooklyn, New York.
According to a statement from the US Department of Justice (DOJ), 55-year-old Moises Luis Zagala Gonzalez, MD, is charged with creating and distributing ransomware with a “doomsday” clock and sharing in profits from ransomware attacks.
Zagala, also known as “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar,” is a citizen of France and Venezuela who currently lives in Ciudad Bolivar, Venezuela.
Breon Peace, US attorney for the Eastern District of New York, and Michael J. Driscoll, assistant director in charge of the FBI’s New York Field Office, announced the charges.
“As alleged, the multitasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” Peace said in the news release from DOJ.
“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users,” Driscoll said. “However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems — which is an incredibly vital step in stopping the next ransomware attack.”
Ransomware tools are malicious software that cybercriminals use to extort money from companies, nonprofits, and other institutions by encrypting their files and then demanding a ransom for the decryption keys.
One of Zagala’s early ransomware tools, called “Jigsaw v. 2,” had what Zagala described as a doomsday counter that kept track of how many times the user tried to remove the ransomware. “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” Zagala wrote.
According to the DOJ, beginning in late 2019, Zagala began advertising a new tool as a “private ransomware builder,” which he called Thanos. The name appears to be in reference to a fictional villain responsible for destroying half of all life in the universe and to “Thanatos” from Greek mythology, who is associated with death.
Zagala’s Thanos software allows users to create their own unique ransomware software for personal use or to rent to other cybercriminals.
Zagala allegedly not only sold or rented out his ransomware tools to cybercriminals, but he also taught users how to deploy the tools, steal passwords from victim computers, and set up a Bitcoin address for ransom payments.
Zagala’s customers were happy with his products, the DOJ release notes. In a message posted in July 2020, one user said the ransomware was “very powerful” and claimed that he had used it to infect a network of roughly 3000 computers.
In December 2020, another user wrote a post in Russian: “We have been working with this product for over a month now, we have a good profit! Best support I’ve met.”
Earlier this month, law enforcement agents interviewed a relative of Zagala who lives in Florida and whose PayPal account was used by Zagala to receive illicit proceeds.
According to the DOJ, the relative confirmed that Zagala lives in Venezuela and had taught himself computer programming. The relative also showed agents contact information for Zagala that matched the registered email for malicious infrastructure associated with the Thanos ransomware.
Zagala, who remains in Venezuela, faces up to 10 years in prison for attempted computer intrusions and conspiracy charges if brought to justice in the United States.