Moises Luis Zagala, cardiologist by day, ransomware developer by night, has been charged by the US government for computer crimes.

The US has charged a 55-year-old French-Venezuelan cardiologist from Venezuela with “attempted computer intrusions and conspiracy to commit computer intrusions”. This was revealed in an unsealed complaint in a federal court in Brooklyn, New York.

Moises Luis Zagala Gonzales worked as a ransomware developer on the side, renting out and selling ransomware tools to cybercriminals. He is known by many names—all related to his line of work—in the criminal underground: “Nosophoros” (Greek for “disease-bearer” or “diseased”), “Aesculapius” (Greek God of Medicine and Doctors), and “Nebuchadnezzar” (famed Babylonian king responsible for conducting the first recorded clinical trial in history).

US Attorney Breon Peace, who announced the charges, said:

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran. Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations.”

Jigsaw v2 and Thanos are Zagala’s creations

Jigsaw made its first appearance in 2016. Initially called “BitcoinBlackmailer”, Jigsaw became a memorable ransomware strain in that it depicted Billy the Puppet, a macabre figure from the popular thriller franchise Saw.

The Jigsaw ransomware ransom note (Source: Marcelo Rivero | Malwarebytes)

Saw-inspired, Jigsaw puts pressure on victims to do what they’re told: Pay up now, or more of your files will be deleted every hour you delay. On top of this, it also has (in Zagala’s description) a “Doomsday” counter that counts the times a user attempts to terminate the ransomware.

“If the user kills the ransomware too many times, then it’s clear he won’t pay, so better erase the whole hard drive,” Zagala wrote about the tool.

The Thanos ransomware, Zagala’s second ransomware tool, was advertised as a “Private Ransomware Builder” in 2019. Presumably, he named it after a malevolent comic villain, who is based on “Thanatos”, the personification of death in Greek mythology.

The Thanos ransomware ransom note (Source: Marcelo Rivero | Malwarebytes)

Thanos allowed criminals to create their own unique ransomware strain, which they could then rent out to other criminals. Interested criminals could purchase a license for Thanos or join Zagala’s affiliate program, where he received a cut of the ransom payout.

The complaint alleged Zagala bragged that Thanos was “nearly undetected” by antivirus software. After encrypting all files, Thanos also deletes itself, making detection and recovery “almost impossible” for the victim.

MuddyWater, an Iranian APT, used Thanos ransomware to attack Israeli entities in September 2020. In June 2020, Hakbit, a Thanos offshoot, was used in attacks against pharmaceutical and healthcare sectors (among others) in Austria, Switzerland, and Germany.

“Malware analysts are all over me”

According to the FBI, Zagala began appearing online as “Nebuchadnezzar” because “malware analysts are all over me”.

Around May 3, 2022, law enforcement agencies conducted an interview with a relative of Zagala, who resides in Florida. Zagala used the PayPal account of this relative to receive his illicit ransomware earnings.

The relative provided details that proved helpful in deepening Zagala’s link to his ransomware activities as a creator and underground businessman. They revealed that Zagala taught himself computer programming. The contact details they had for Zagala also matched the registered email associated with Thanos infrastructure.

Zagala is facing up to ten years’ imprisonment if convicted.