US prosecutors charged a Venezuelan cardiologist with developing and selling ransomware used by Iranian state-sponsored hacking groups. Moises Luis Zagala Gonzalez, 55, a self-taught computer programmer, who also went under the names of “Aesculapius,” “Nebuchadnezzar,” and “Nosophoros,” created a ransomware builder called “Thanos” and a ransomware tool called “Jigsaw v.2.”
The culprit advertised its products on dark web forums and markets and sold them to cybercriminals for up to $800 a month. According to a complaint filed on May 16th in the US District Court, Zagala sold and rented his ransomware and provided cybercriminals with ample training on setting up their own ransomware gangs and using his product efficiently.
Thanos, the ransomware builder Zagala developed, was a sophisticated tool that could detect and elude antivirus detection, detect when it was run in a virtual machine and had a self-destruction module to erase evidence of its existence. Jigsaw v.2, the ransomware tool, packed a “Doomsday” counter feature that would wipe a victim’s hard drive clean after repeated attempts to remove the ransomware from the compromised device.
Although the sophistication of the tools he developed and sold was impressive for a self-taught computer programmer, Zagala’s opsec was not something to write home about. Authorities managed to capture him by tracking the culprit’s brother’s PayPal account that he was using to funnel some of the funds he earned from his illicit operation.
The perpetrator’s email address included his real name, and the ransomware he developed contacted a licensing server located in North Carolina, making it highly accessible to US investigators. Zagala also kept in touch with his clients on open Jabber clients, thus making it even easier for investigators to catch up to him. It’s unclear whether the culprit was careless in covering his tracks or trying to hide in plain sight. Zagala is now facing up to five years on each charge.