The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.
A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.
The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.
The accused holds French and Venezuelan nationality but lives in the latter nation, from where he operated under the name “Zagala” and used the email address firstname.lastname@example.org to communicate with customers. He also used the Jabber XMPP chat service to talk with prospective customers – including some undercover FBI operatives.
During those chats, Zagala allegedly offered to sell his ransomware and explained his preference to target organisations that lacked backups, but that exfiltrating data was another route to a score if data could not be encrypted.
Those chats also revealed that Zagala had a generous side to his nature: he offered one customer two free weeks’ use of his wares so their ransomware gang could properly infect victims.
Thanos appears to have been reasonably sophisticated: it could detect and evade antivirus software, was aware of when it was being run in a virtual machine and could self-delete.
Zagala’s opsec was less impressive. Not only did his email address include his name, but his ransomware also contacted a licensing server located in North Carolina so was within easy reach of US investigators. He also chatted in open Jabber channels.
And while he sought payment in cryptocurrencies, which offer some degree of anonymity, Zagala funnelled some funds to a PayPal account operated by his brother, a Florida resident. US authorities visited Zagala’s brother on May 3rd, 2022, and he revealed the email address he used to contact Zagala – which was the same one offered as a tech support contact in the Thanos ransomware builder.
Which brings us to the Monday announcement of charges being filed against the cardiologist.
The United States asserts [PDF] that it has an extradition treaty with Venezuela, but that agreement was ratified in 1923. Venezuela’s current government is not kindly disposed to the USA, to say the least. The Register suggests that getting Zagala into a stateside courtroom will not be easy.
Breon Peace, United States Attorney for the Eastern District of New York, was nonetheless chuffed to have filed charges against the cardiologist.
“Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations,” he stated. ®