Venezuelan cardiologist charged with 'designing and selling ransomware'
If his surgery was as bad as his opsec, this chap has caused a lot of trouble, allegedly
The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.
A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.
The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month, it is claimed. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits, it is alleged.
The accused holds French and Venezuelan nationality but lives in the latter nation, from where he operated under the name “Zagala” and used the email address moiseszagala [at] gmail [dot] com to communicate with customers, it is claimed. He also allegedly used the Jabber XMPP chat service to talk with prospective customers – including some undercover FBI operatives.
During those chats, Zagala allegedly offered to sell his ransomware and explained his preference to target organisations that lacked backups, but that exfiltrating data was another route to a score if data could not be encrypted.
Those chats also revealed that Zagala had a generous side to his nature: he offered one customer two free weeks’ use of his wares so their ransomware gang could properly infect victims, according to prosecutors.
- Kasten by Veeam adds ransomware detection to K10 data management platform
- Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
- Ransomware the final nail in coffin for small university
- Fresh ransomware samples indicate REvil is back
Thanos appears to have been reasonably sophisticated: it could detect and evade antivirus software, was aware of when it was being run in a virtual machine and could self-delete.
Zagala’s opsec was less impressive, according to Uncle Sam. Not only did his email address include his name, but his ransomware also contacted a licensing server located in North Carolina so was within easy reach of US investigators, it is alleged. He also chatted in open Jabber channels, we're told.
And while he sought payment in cryptocurrencies, which offer some degree of anonymity, Zagala funneled some funds to a PayPal account operated by his brother, a Florida resident, it is claimed. US authorities said they visited Zagala’s brother on May, 2022, and he revealed the email address he used to contact Zagala – which was the same one offered as a tech support contact in the Thanos ransomware builder.
Which brings us to the Monday announcement of charges being filed against the cardiologist.
The United States asserts [PDF] that it has an extradition treaty with Venezuela, but that agreement was ratified in 1923. Venezuela’s government today is not kindly disposed to the USA, to say the least. The Register suggests getting Zagala into a stateside courtroom will not be easy.
Breon Peace, United States Attorney for the Eastern District of New York, was nonetheless chuffed to have filed charges against the cardiologist.
“Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations,” he stated. ®