US accuses doctor of designing ransomware
A physician in Venezuela has been accused by the US Department of Justice (DOJ) of moonlighting – as a designer and seller of ransomware named after the ancient Greek god of death.
Moises Gonzalez, 55, also known by his middle name Zagala when not going by his colorful internet aliases, is accused by the DOJ of having developed an off-the-shelf ransomware builder called Thanos – believed to be a reference to the morbid classical deity Thanatos – and sold it to threat actors, including some affiliated with Iran.
“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem, trained the attackers to extort victims, and then boasted about successful attacks,” said Breon Peace, US Attorney for the eastern district of New York.
Zagala, who also goes by the nicknames Aesclepius – another Greek deity, associated with healing – and Nebuchadnezzar, after the great Babylonian king, allegedly developed multiple tools used by ransomware gangs to extort companies and other organizations.
His lessons apparently extended to teaching cybercriminals the value of ruthlessness when dealing with recalcitrant victims who tried to fight back by erasing or “killing” ransomware.
“If the user kills the ransomware too many times, then its [sic] clear he won’t pay, so better erase the whole hard drive,” he wrote in one post about an early tool, Jigsaw, which came equipped with a “Doomsday” feature enabling the nuclear option.
Scaling up the business
Thanos differed from its predecessors in that it allowed crooks to tailor their own ransomware, which they could then either use themselves or rent out to other threat actors.
Zagala’s business acumen was further evidenced by enticing payment plans offered to his criminal clientele. Options included licensing the malware for a fee, or else agreeing to become an “affiliate” – in which case use of Thanos was granted for free in exchange for a cut of the illicit profits. Zagala took payments in both fiat money and cryptocurrency, in the latter case preferring Monero or Bitcoin.
Zagala’s products were favorably reviewed by the cybercriminal fraternity on dark web forums. “I bought the ransomware and it is very powerful,” enthused one client, claiming to have used Thanos to infect 3,000 computers.
Another praised Zagala’s “customer support” and boasted of “good profit” after using Thanos for just one month. The death doctor of ransomware himself was not slow to brag online either, publicly linking to news stories about Thanos’s use by Iranian-backed threat actors against Israeli firms.
Brought to light – but not to justice
In September 2020, an FBI agent posing as a customer purchased a license for Thanos, allowing the US to move forward with its case. If arrested and convicted, Zagala faces years in jail.
However, given the fractious relations between the US and Venezuela, it is unclear whether this will ever happen. There is an extradition treaty between the two countries dating back to 1922, but it is unlikely to be observed by Venezuela, owing to geopolitical tensions between the nations.
More from Cybernews:
Subscribe to our newsletter