The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-sharing deals with criminals who deployed his product.
A complaint [PDF] filed May 16 in the U.S. District Court for the Eastern District of New York, alleges that Moises Luis Zagala Gonzalez — aka “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar” — created a ransomware builder known as “Thanos “, and ransomware named “Puzzle v. 2”.
The self-taught coder and trained cardiologist advertised the ransomware in the dark corners of the web, then licensed it to scammers for $500 or $800 a month. He also ran an affiliate network that offered the ability to run Thanos to create custom ransomware, in exchange for a share of the profits.
The accused is of French and Venezuelan nationality but lives in the latter nation, from where he operated under the name “Zagala” and used the email address [email protected] to communicate with customers. He also used the Jabber XMPP chat service to talk with potential clients, including undercover FBI agents.
During these discussions, Zagala allegedly offered to sell his ransomware and explained his preference for targeting organizations that lacked backups, but that data exfiltration was another route to a score if the data could not be encrypted.
These discussions also revealed that Zagala had a generous side to his nature: he offered a customer two weeks of free use of his wares so that their ransomware gang could properly infect victims.
Thanos appears to have been reasonably sophisticated: he could detect and evade antivirus software, knew when he was running in a virtual machine, and could self-delete.
Zagala’s opsec was less impressive. Not only did his email address include his name, but his ransomware also contacted a license server located in North Carolina and was therefore easily accessible to US investigators. He also chatted on open Jabber channels.
And while seeking payment in cryptocurrencies, which offer a degree of anonymity, Zagala funneled funds to a PayPal account operated by his brother, a Florida resident. US authorities visited Zagala’s brother on May 3, 2022 and he revealed the email address he used to contact Zagala – which was the same one offered as a technical support contact in the builder of Thanos ransomware.
Which brings us to Monday announcement charges against the cardiologist.
United States affirms [PDF] that it has an extradition treaty with Venezuela, but that agreement was ratified in 1923. The current government of Venezuela is not well disposed towards the United States, to say the least . The register suggests that getting Zagala into a courtroom in the United States won’t be easy.
Breon Peace, United States Attorney for the Eastern District of New York, was nevertheless pleased to have filed the complaint against the cardiologist.
“Fighting ransomware is a top priority for the Department of Justice and this Office. If you take advantage of ransomware, we will find you and disrupt your malicious operations,” he said. ®