US names and shames Venezuelan doctor as notorious ransomware maker

The U.S. has named a Venezuelan cardiologist as the alleged mastermind behind the notorious Thanos ransomware.

According to the U.S. Justice Department, Moises Luis Zagala Gonzalez, 55, created and distributed the Thanos software, a ransomware-as-a-service (RaaS) operation that allowed its users to create and deploy their own ransomware variants.

Zagala allegedly sold and rented out the ransomware tools to cybercriminals starting in 2019 and even taught cybercriminals how to use the tools, according to the indictment, coaching threat actors on how to design a ransom note, steal passwords from victim computers and set a bitcoin address for ransom payments. “Zagala provides extensive customer service along with his software, counseling his customers about how most effectively to use his software against their victims,” the indictment says. The FBI said that at least 38 copies of the Thanos tool were sold.

Zagala also publicly discussed how his customers used his tools in ransomware attacks, even posting links to news stories about the use of Thanos by an Iranian-state sponsored hacking group to attack Israeli companies. One of the linked reports detailed how the ransomware was used by the MuddyWater hacking group, which U.S. Cyber Command earlier this year linked to Iranian intelligence.

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” said Breon Peace, the U.S. attorney for eastern New York, where the case was filed.

In addition to creating Thanos, Zagala is accused of creating “Jigsaw v. 2,” a ransomware tool that included a so-called “Doomsday counter” that kept track of how many times victims had tried to remove the malware. “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” Zagala wrote, according to the DOJ, adding that 1,000 files would be deleted every time a victim reboots their system.

Zagala’s products were well-regarded among cybercriminals, from which he would request reviews. The DOJ said it found several reviews for his products that touted their effectiveness. One reviewer said they used Zagala’s products to “infect a network of approximately 3,000 computers” and another user wrote in Russian that they had made “good profit” after a month of using the ransomware tools.

The FBI was able to identify Zagala after interviewing a relative whose PayPal account was used to receive illicit profits.

Zagala — who remains in Venezuela — faces up to 10 years in prison for attempted computer intrusions and conspiracy charges if brought to justice in the United States. The indictment is part of the Justice Department’s efforts in recent years to “name and shame” cyberattackers who are outside of U.S. jurisdiction.