US authorities have accused a 55-year-old doctor of developing, selling and renting out ransomware to cyber-criminals worldwide.
Moises Luis Zagala Gonzalez (Zagala), aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” is a French and Venezuelan citizen.
The cardiologist, who lives in Ciudad Bolivar in Venezuela, has been charged with attempted computer intrusions and conspiracy to commit computer intrusions, according to the Department of Justice (DoJ).
He’s accused of developing the Jigsaw v2 variant, which features a “Doomsday” counter that completely erases a victim’s hard drive if they try and fail to get rid of the malware too many times.
Zagala is also linked to ransomware-as-a-service (RaaS) offering Thanos, which allows clients to customize it and then use or rent it out to others. Affiliates were given access to the RaaS builder in return for a share of the profits from any subsequent attacks, the DoJ said.
The doctor reportedly spent considerable time talking customers through how to use his products online, receiving payment in both fiat and cryptocurrency. A Floridian relative’s PayPal account was used to receive some funds, it is alleged.
An FBI source contacted Zagala in May 2020 and the latter offered to license a ransomware program to them for $500 per month. In a subsequent conversation, he allegedly explained to the source how to set up an affiliate program.
He told another FBI source that he changed his online moniker to Nebuchadnezzar in a bid to throw malware analysts off the scent.
According to reviews posted on the dark web and republished by the DoJ, one customer said Thanos enabled them to infect a network of 3000 computers.
When FBI agents interviewed the relative living in Florida, they were apparently shown contact information for Zagala that matched an email used to register malicious infrastructure associated with the Thanos malware.
It’s unclear if Zagala is still at large, but if convicted, he faces five years’ imprisonment for attempted computer intrusion and another five years for conspiracy to commit computer intrusions.