Cardiologist moonlights as ransomware mastermind

SPECIAL SERIES: U.S. charges Venezuelan doctor for running a ransomware syndicate. He takes PayPal.

June 7, 2022

4 Min Read

SPECIAL SERIES: U.S. charges Venezuelan doctor for running a ransomware syndicate. He takes PayPal.

The U.S. has charged a cardiologist in Venezuela for running a global ransomware syndicate in which he sold criminals the malware and even trained them. He also asks his cybercriminal customers to leave him a positive online review.

Moises Luis Zagala Gonzalez, 55, created and sold ransomware tools, licensed the software, offered customer support, and ran an affiliate program to cybercriminals, according to a lawsuit filed by the U.S. Attorney's Office, Eastern District of New York.

In a ransomware attack, malware is released into a computer network that encrypts the data, making it inaccessible to users. Victims must pay a ransom to get the encryption keys.

Zagala, who also holds French citizenship, seemingly had a flair for the dramatic: He went by the pseudonyms Nosophoros (Greek for vampire), Aesculapius (mythical Greek god of medicine), and Nebuchadnezzar (king of the Neo-Babylonian empire).

He allegedly created two ransomware tools − Jigsaw v.2 and Thanos − to sell or rent out to hackers. In detailed chats with customers, he would discuss the process of using his ransomware, earning him glowing online reviews. Thanos is a fictional Marvel movie character who wiped out half of all life in the universe. Thanatos is a Greek mythology figure associated with death.

Jigsaw v.2 is the latest version of a ransomware program that also had a ‘Doomsday’ counter that let the scammers know how often the victim was attempting to delete the ransomware. If there were too many attempts, Zagala’s software would erase the entire hard drive since it is clear they will not pay the ransom, according to the DOJ.

Thanos was advertised as a private ransomware builder that let cybercriminals could create their own ransom note, hide the malicious code from antivirus programs, steal passwords, and select files to attack. Zagala also claimed the ransomware was almost undetectable by antivirus programs and the ransomware would delete itself once encrypted.

Figure 1: User interface for the Thanos ransomware (Image credit: DOJ) User interface for the Thanos ransomware (Image credit: DOJ)

Thanos users could pay Zagala in two ways: buy a license for a certain period or through an “affiliate program” in which Zagala gained a share of their profits with each successful attack. He accepted payments in Bitcoin, Monero, and fiat currency through PayPal.

One cybercriminal reviewer said in Russian, “We have been working with this product for over a month now, we have a good profit! Best support I’ve met.” Zagala is public about his activities, even linking to a news story about the use of Thanos by an Iran-sponsored hacking group to attack Israeli companies.

An FBI informant was offered a license to the ransomware for $500 a month that had “basic options” or $800 a month with “full options.” Last month, law enforcement interviewed Zagala’s relative in Florida whose PayPal account was used by the cardiologist to receive illicit proceeds.

Related stories:

Ransomware: The world's no. 1 cybersecurity threat

Cybersecurity survey: 80% of companies globally hit by ransomware attack

Ransomware deals death blow to historic US college

'Robin Hood' ransomware forces victims to do good

The Venezuelan resident faces up to five years of U.S. prison for “attempted computer intrusion” and five years of prison for “conspiracy to commit computer intrusions.”

“Combating ransomware is a top priority of the Department of Justice and of this office. If you profit from ransomware, we will find you and disrupt your malicious operations,” said Breon Peace, United States Attorney for the Eastern District of New York. 

The U.S. has an extradition treaty with Venezuela but withdrew its recognition of Nicolas Maduro after accusing him of cheating to win the presidency in 2018. It also placed sanctions against the country and certain individuals. The U.S. recognizes his political opponent, Juan Guaido, as the truly elected leader.

Adversaries and their nation-state affiliations

Figure 2: Source: 2022 Global Threat Report by CrowdStrike Source: 2022 Global Threat Report by CrowdStrike

Get the newsletter
From automation advancements to policy announcements, stay ahead of the curve with the bi-weekly AI Business newsletter.