FBI charges Venezuelan doctor with using, selling ‘Thanos’ ransomware
The FBI announced charges Monday against a Venezuelan cardiologist that the bureau said was moonlighting as a cybercriminal mastermind, both designing and using ransomware that he bragged was deployed by Iranian state-sponsored hackers.
Moises Luis Zagala Gonzalez, who also went by the user names “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” is being charged with attempted computer intrusions and conspiracy to commit computer intrusions.
According to the complaint unsealed Monday, Zagala sold and rented out his ransomware software, providing cybercriminals with extensive training on how to use his product and even set up their own ransomware gangs.
One of his tools, titled “Thanos,” allowed users to create their own custom ransomware for a licensing fee of up to $800 a month. Another product, called “Jigsaw v. 2” had a built-in “Doomsday” counter feature that erased a victim’s hard drive after multiple attempts to remove the ransomware.
Zagala’s products were widely praised by customers. One customer claimed in an online forum he used the Thanos software to infect 3,000 computers. Another Russian user praised Zagala’s customer support: “We have been working with this product for over a month now, we have a good profit! Best support I’ve met.”
Zagala was also active on forums and discussed attacks that used his software, including an alleged attack by an Iranian state-sponsored group against Israeli companies.
Law enforcement agents were able to track Zagala down through a relative whose PayPal account he used to receive proceeds from his services.
“Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations,” Breon Peace, U.S. Attorney for the Eastern District of New York, said in a statement.
Zagala faces up to five years on each charge.
CyberScoop could not immediate track down an attorney for Zagala.