A French-Venezuelan cybercriminal named Moises Luis Zagala Gonzalez had been detained for forming two ransomware strains dubbed Thanos and Jigsaw version 2. The US DoJ disclosed the report about Zagala, a cardiologist, who successfully conducted hackings alongside ransomware development to be sold to other cybercriminals.
The law enforcement agency also added that Zagala’s crimes are punishable by up to five years for his hacking activities and another five years for being a conspirator in committing computer intrusions.
The cybercriminal cardiologist used several nicknames during his malicious operations, including ‘Nosophoros,’ ‘Nebuchadnezzar,’ and ‘Aesculapius.’
Zagala has designed several tools that facilitate ransomware criminals in their attack campaigns. According to authorities, the cardiologist began his operation in aiding cybercrime in 2019, offering extensive customer service, such as guiding threat actors on using the malicious tools efficiently.
The accused was also associated with helping Iranian-based threat actors and showed off several successful attacks with the help of his services.
The FBI’s analysis of Zagala’s works revealed that he had developed the Jigsaw ransomware’s second version by updating its older package made by a separate malicious actor. Aside from the Jigsaw version 2, the cardiologist also designed the Thanos ransomware.
Jigsaw’s second version is useful for threat operators to spy on their victims’ attempts to remove an injected malware. If the victims would try to delete the malware on their devices in a maximum number of tries, it will trigger the deletion of the victims’ entire hard drive. A decryptor for the Jigsaw version 2 was already released in 2019.
On the other hand, the features of the Thanos ransomware include sending ransom notes to the victims’ computers and choosing specific files to be encrypted. Furthermore, Thanos ransomware can also bypass anti-virus software to hide from detection.
During a probe in the dark web, experts have seen Zagala promoting Thanos ransomware in underground marketplaces using his nicknames. Once the ransomware has been injected into its targeted machine, it will immediately encrypt the files it needs and will delete itself afterwards, thus being able to evade detection and make victims’ data recovery impossible.
The malicious actions of the cybercriminal cardiologist had motivated the law enforcement agency to put proper sanctions against him, stating that combating all cybercrime operations is their top priority, alongside putting all threat conspirators in their rightful places.
