IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US indicts heart doctor for allegedly spearheading high-profile ransomware operations

The 55-year-old cardiologist profited from a ransomware side hustle and coached would-be hackers in using his tools for maximum rewards

A 55-year-old Venezuelan cardiologist has been charged in the US over allegedly being the mastermind behind the Jigsaw and Thanos ransomware operations.

Charges against Moises Luis Zagala Gonzalez were unsealed in federal court in Brooklyn, New York, on Monday and concern his alleged use and sale of ransomware, in addition to his support of and profit-sharing with other cyber criminals.

Zagala resides in Ciudad Bolivar, Venezuela and also has citizenship in France. He is alleged to have created multiple high-profile ransomware tools in his spare time while primarily being a practising doctor.

A Federal Bureau of Investigation (FBI) source posed as a prospective cyber criminal and was able to discover how Zagala’s operation ran, how he generated multiple revenue streams, and how he ‘coached’ the cyber criminals into being more successful using the tools he created.

Zagala is alleged to have created the Jigsaw ransomware strain as well as the Thanos ‘ransomware builder’ - an application that allowed users to build their own ransomware program to be used alone or sold to the wider community.

Screenshot of the Thanos application

Screenshot of the Thanos application

The Thanos application presented users with a GUI and an assortment of checkboxes to enable and disable certain features so effective ransomware programs could be built with little technical knowledge.

Such features included a data stealer that allowed users to select which types of files were stolen from a victim, an anti-VM feature that prevented researchers from loading it into a virtual machine for analysis and a self-delete function that destroyed the program after its use had become exhausted.

Through the FBI’s source, the Bureau was able to understand how Thanos was sold through two licensing models.

Prospective users could either pay a single up-front fee for a limited license and have access to the program for a set time, or enrol into an affiliate program which saw the user receive a lifetime license in return for giving Zagala a portion of the profit generated from the ransomware it created.

The Depart of Justice (DoJ) said Zagala owned a server in Charlotte, North Carolina that checked if a user’s license was valid or not.

After the FBI source request to join Zagala’s affiliate program was refused as there weren’t enough open places at the time, but Zagala offered to license Thanos for $500 per month with basic options, or $800 per month with full functionality.

There were only a maximum of 10-20 spots available on Zagala’s affiliate program at any one time, and sometimes as few as five, he said, according to the DoJ’s official complaint.

Thanos was advertised on “various” cyber crime forums and the listings were accompanied by Zagala’s claims that the ransomware software Thanos generated was nearly undetectable by anti-virus programs and due to the encryption and self-deletion functionality, recovery was almost impossible for victims.

Conversations between Zagala and the FBI source revealed that he would instruct buyers on how to craft ransom notes, steal passwords, and set Bitcoin addresses to receive payment. 

Zagala would take time to explain exactly how the software works and encourage happy customers to leave positive reviews of which there were many, with some claiming to have made good profit after infecting thousands of computers.

Related Resource

The Total Economic Impact™ of Mimecast

Cost savings and business benefits enabled by using Mimecast with Microsoft 365

Total economic impact of Mimecast - whitepaper from MimecastFree download

Zagala even spent time explaining to the source how to set up a successful ransomware organisation and establish an affiliate program of their own before offering an additional free two-week license after the source’s one-month trial ended, telling the source “because one month is too little for this business… sometimes you need to work a lot to get good profit”.

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” said Breon Peace, United States Attorney for the Eastern District of New York.

“Combating ransomware is a top priority of the Department of Justice and of this Office,” he added. “If you profit from ransomware, we will find you and disrupt your malicious operations.”

If convicted, Zagala will face a maximum of ten years in US prison - five years for attempted computer intrusion, and a further five for conspiracy to commit computer intrusions.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022