Medical Doctor Accused of Developing Thanos Ransomware Builder 

Medical Doctor Accused of Developing Thanos Ransomware Builder 

A cardiologist turned malware developer is accused of creating the Thanos ransomware builder. As per a US criminal complaint unsealed on Monday, Moises Luis Zagala Gonzalez, 55, a citizen of France and Venezuela who lives in Ciudad Bolivar, Venezuela, participated in attempted computer intrusions and conspiracy to commit computer intrusions. 

Zagala is accused of selling and leasing ransomware packages produced by him to hackers. According to the United States prosecutors, he is also suspected of educating would-be attackers on using his products to extort victims and then boasting about successful crimes. 

The self-taught part-time programmer is accused of creating many ransomware tools, which are harmful programs that encrypt files on infected devices before demanding exorbitant payments in return for a decryption key. According to the Department of Justice, Zagala created a ransomware tool called ‘Jigsaw v.2’ before inventing a more advanced private ransomware constructor dubbed Thanos, a reference to either the Marvel supervillain or the Greek mythological character ‘Thanatos.’ 

The Thanos platform may be used to create ransomware campaigns with unique ransom letters, features meant to annoy security researchers and a “data stealer” function for extracting files from infected systems. Zagala is accused of profiting from the ransomware-as-a-service (Raas) operation by licensing his software to other hackers and receiving money in cryptocurrencies or fiat currencies. Zagala’s suspected ransomware goods and services were advertised and marketed on internet forums frequented by hackers. 

The Department of Justice said that investigators could identify Zagala as a suspect due to a series of OpSec errors. An undercover FBI agent allegedly purchased a Thanos license from Zagala in September 2020 and downloaded the malware. The DoJ affidavit reveals that an FBI informant also spoke with Zagala about the idea of establishing an affiliate scheme using Thanos. Zagala is also believed to have boasted publicly about how an Iranian state-sponsored hacking gang used Thanos to attack Israeli firms. 

Thanos program was created to communicate with a server in Charlotte, North Carolina, on a regular basis to check on licenses. This system seems to be tied to Zagala. Furthermore, on May 3, 2022, a Florida-based relative of Zagala was contacted by law officials and confirmed that Zagala used their PayPal account to accept unlawful payments. 

According to the Department of Justice, the relative contacted Zagala using an email account that matched the registered email address for malicious infrastructure connected with the Thanos malware. Prosecutors have not stated how much money Zagala gained from his alleged wrongdoings. Still, if found guilty, he faces up to five years in jail for attempted computer intrusion and five years in prison for conspiracy to conduct computer intrusions. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.