The US wants to arrest a heart doctor in Venezuela for allegedly moonlighting as a ransomware developer.
On Monday, the Justice Department unsealed(Opens in a new window) a criminal complaint against 55-year-old Moises Luis Zagala Gonzalez that claims he’s the author behind two ransomware strains called Jigsaw v.2 and Thanos. According to federal investigators, Zagala not only sold and rented out the ransomware tools to cybercriminals starting in 2019, but also taught them how to use the programs.
“Zagala provides extensive customer service along with his software, counseling his customers about how most effectively to use his software against their victims,” the criminal complaint reads.
The FBI claims Zagala created a 2.0 version of the Jigsaw ransomware that was designed to update the older ransomware program, which had been created by others. He also developed a ransomware creation tool dubbed Thanos(Opens in a new window) after the Marvel supervillain.
The features of Thanos include customizing the ransom note, selecting which files the ransomware should encrypt and various options to help mask the malicious code from antivirus detection.
Zagala sold Thanos by renting out the tool through a licensing model. He also created an affiliate program around Thanos, which involved letting a cybercriminal use the tool in exchange for a share of profits from each successful ransomware attack.
Zagala advertised Thanos in various online forums used by cybercriminals. “In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that ‘once encryption is done,’ the ransomware would ‘delete itself,’ making detection and recovery ‘almost impossible’ for the victim,” the Justice Department added.
The FBI’s criminal complaint says at least 38 copies of the Thanos tool were sold. At one point, Zagala also boasted about how an Iranian state-sponsored hacking group had used Thanos to attack(Opens in a new window) Israeli companies.
Recommended by Our Editors
However, the FBI was able to identify Zagala by investigating how he was accepting payments from cybercriminals who bought access to the Thanos tool. This led the FBI to uncover a PayPal account and a cryptocurrency account that were allegedly registered to Zagala’s name, Gmail address address, residence in Venezuela and his Venezuelan driver’s license.
Zagala’s current whereabouts are unclear. But the FBI requested the court issue an arrest warrant for him back in March. The criminal complaint also notes Zagala has made multiple trips to the US before. “If convicted, the defendant faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions,” the Justice Department added.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.