According to a statement from the U.S. Department of Justice, 55-year-old Moises Luis Zagala Gonzalez, MD, is charged with creating and distributing ransomware with a “doomsday” clock and sharing in profits from ransomware attacks.
Dr. Zagala, also known as “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar,” is a citizen of France and Venezuela who currently lives in Ciudad Bolivar, Venezuela.
Breon Peace, U.S. attorney for the Eastern District of New York, and Michael J. Driscoll, assistant director in charge of the Federal Bureau of Investigaton’s New York Field Office, announced the charges.
“As alleged, the multitasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” Mr. Peace said in thefrom the DOJ.
“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use. Our actions today will prevent Zagala from further victimizing users,” Mr. Driscoll said. “However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems – which is an incredibly vital step in stopping the next ransomware attack.”
Ransomware tools are malicious software that cybercriminals use to extort money from companies, nonprofits, and other institutions by encrypting their files and then demanding a ransom for the decryption keys.
One of Dr. Zagala’s early ransomware tools, called “Jigsaw v. 2,” had what Dr. Zagala described as a doomsday counter that kept track of how many times the user tried to remove the ransomware. “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” Dr. Zagala wrote.
According to the DOJ, beginning in late 2019, Dr. Zagala began advertising a new tool as a “private ransomware builder,” which he called Thanos. The name appears to be in reference to a fictional villain responsible for destroying half of all life in the universe and to “Thanatos” from Greek mythology, who is associated with death.
Dr. Zagala’s Thanos software allows users to create their own unique ransomware software for personal use or to rent to other cybercriminals.
Dr. Zagala allegedly not only sold or rented out his ransomware tools to cybercriminals, but he also taught users how to deploy the tools, steal passwords from victim computers, and set up a Bitcoin address for ransom payments.
Dr. Zagala’s customers were happy with his products, the DOJ release noted. In a message posted in July 2020, one user said the ransomware was “very powerful” and claimed that he had used it to infect a network of roughly 3,000 computers.
In December 2020, another user wrote a post in Russian: “We have been working with this product for over a month now, we have a good profit! Best support I’ve met.”
Earlier in May, law enforcement agents interviewed a relative of Dr. Zagala who lives in Florida and whose PayPal account was used by Dr. Zagala to receive illicit proceeds.
According to the DOJ, the relative confirmed that Dr. Zagala lives in Venezuela and had taught himself computer programming. The relative also showed agents contact information for Dr. Zagala that matched the registered email for malicious infrastructure associated with the Thanos ransomware.
Dr. Zagala, who remains in Venezuela, faces up to 10 years in prison for attempted computer intrusions and conspiracy charges if brought to justice in the United States.
A version of this article first appeared on.