A 55-year-old Venezuelan cardiologist has been charged in the US over allegedly being the mastermind behind the Jigsaw and Thanos ransomware operations.
Charges against Moises Luis Zagala Gonzalez were unsealed in federal court in Brooklyn, New York, on Monday and concern his alleged use and sale of ransomware, in addition to his support of and profit-sharing with other cyber criminals.
What is ransomware? The most popular ransomware strains targeting UK businesses How not to get hit by ransomware in 2022
Zagala resides in Ciudad Bolivar, Venezuela and also has citizenship in France. He is alleged to have created multiple high-profile ransomware tools in his spare time while primarily being a practising doctor.
A Federal Bureau of Investigation (FBI) source posed as a prospective cyber criminal and was able to discover how Zagala’s operation ran, how he generated multiple revenue streams, and how he ‘coached’ the cyber criminals into being more successful using the tools he created.
Zagala is alleged to have created the Jigsaw ransomware strain as well as the Thanos ‘ransomware builder’ - an application that allowed users to build their own ransomware program to be used alone or sold to the wider community.
The Thanos application presented users with a GUI and an assortment of checkboxes to enable and disable certain features so effective ransomware programs could be built with little technical knowledge.
Such features included a data stealer that allowed users to select which types of files were stolen from a victim, an anti-VM feature that prevented researchers from loading it into a virtual machine for analysis and a self-delete function that destroyed the program after its use had become exhausted.
Through the FBI’s source, the Bureau was able to understand how Thanos was sold through two licensing models.
Prospective users could either pay a single up-front fee for a limited license and have access to the program for a set time, or enrol into an affiliate program which saw the user receive a lifetime license in return for giving Zagala a portion of the profit generated from the ransomware it created.
The Depart of Justice (DoJ) said Zagala owned a server in Charlotte, North Carolina that checked if a user’s license was valid or not.
After the FBI source request to join Zagala’s affiliate program was refused as there weren’t enough open places at the time, but Zagala offered to license Thanos for $500 per month with basic options, or $800 per month with full functionality.
There were only a maximum of 10-20 spots available on Zagala’s affiliate program at any one time, and sometimes as few as five, he said, according to the DoJ’s official complaint.
Thanos was advertised on “various” cyber crime forums and the listings were accompanied by Zagala’s claims that the ransomware software Thanos generated was nearly undetectable by anti-virus programs and due to the encryption and self-deletion functionality, recovery was almost impossible for victims.
Conversations between Zagala and the FBI source revealed that he would instruct buyers on how to craft ransom notes, steal passwords, and set Bitcoin addresses to receive payment.
Zagala would take time to explain exactly how the software works and encourage happy customers to leave positive reviews of which there were many, with some claiming to have made good profit after infecting thousands of computers.
RELATED RESOURCE
The Total Economic Impact™ of Mimecast
Cost savings and business benefits enabled by using Mimecast with Microsoft 365
FREE DOWNLOAD
Zagala even spent time explaining to the source how to set up a successful ransomware organisation and establish an affiliate program of their own before offering an additional free two-week license after the source’s one-month trial ended, telling the source “because one month is too little for this business… sometimes you need to work a lot to get good profit”.
“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” said Breon Peace, United States Attorney for the Eastern District of New York.
“Combating ransomware is a top priority of the Department of Justice and of this Office,” he added. “If you profit from ransomware, we will find you and disrupt your malicious operations.”
If convicted, Zagala will face a maximum of ten years in US prison - five years for attempted computer intrusion, and a further five for conspiracy to commit computer intrusions.
-
OpenAI just revealed what people really use ChatGPT forNews More than 70% of ChatGPT queries have nothing to do with work, but are personal questions or requests for help with writing.
-
Nearly 700,000 customers impacted after insider attack at US fintech firmNews FinWise, which provides loans on behalf of US financial services firms, revealed a former employee accessed sensitive customer information after leaving the firm.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
