Dept. of Justice Charge Doctor Behind Movie-Inspired Ransomware

The creator behind the "jigsaw" ransomware - as well as a ransomware builder called Thanos - bragged about its use online.
Aaron Drapkin

A Venezuelan Cardiologist has been charged by the US Justice Department as the “mastermind” that created more than one dangerous strain of malware.

Individuals being prosecuted for creating and distributing ransomware is rare, but this hasn’t stopped the DoJ from accusing Zagala of conspiracy to commit computer intrusions.

The charges are in part regarding the doctor’s “private ransomware builder.” The rise of ransomware-as-a-service is a reminder of the importance of ensuring your business is equipped with antivirus software with ransomware protection.

Culprit Caught and Charged

Moises Luis Zagala Gonzalez – the cardiologist in question – is alleged to have produced ransomware used in a number of ultimately successful attacks on businesses.

The 55-year-old, also known by aliases such as “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar,” is a citizen of both Venezuela and France.

According to a statement released by the Department of Justice, Zagala “profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks,” and further “trained the attackers about how to extort victims.”

Officials alleged that he also “boasted about successful attacks, including by malicious actors associated with the government of Iran”.

Zagala’s Movie-Inspired Maliciousness

The most significant piece of malicious code Zagala is said to have created and distributed was “Jigsaw v. 2” a strain of ransomware that’s been in circulation since 2016.

According to the DoJ, Jigsaw v. 2 included a counter that kept track of how many times a user attempted to remove the ransomware. It was notorious for injecting a sense of urgency and distress into victims' decision-making, reminiscent of the eponymous antagonist from the Saw horror movie franchise.

Although there are still many questions to answer, one certainty is that Zagala is quite the movie buff – he also developed a private ransomware builder named after Marvel supervillain Thanos.

Thanos allows amateur ransomware builders to build their own ransomware from scratch and subsequently deploy it or rent it out to other people.

An Insight into Ransomware-as-a-Service

The Thanos ransomware builder included a place for “recovery information,” where a custom ransom note could be readied, and an area to specify what type of files you want to steal.

There was also an “anti-VM” option. VM stands for “virtual machine” – a computer system created using software that can emulate most of the facets and functions of a physical computer constituted in hardware.

Virtual Machines are often used by security researchers as testing environments for ransomware and other malware, so commercially available ransomware that can break out of such an environment is a concerning development.

Zagala’s ‘customers’ were able to purchase the malicious software through two avenues – either they could buy a license for a period of time, or an “affiliate” program where Zagala would hand over the software but take a cut of the proceeds from any ransomware attack orchestrated with it.

If the software was simply licensed, then a link to a server in North Carolina would be maintained to confirm an active license.

Protecting Your Business from Ransomware

The threat of ransomware is scary, present, and growing at a concerning speed – and if your business isn't protected, then you're effectively a sitting duck. With the proliferation of ransomware-as-a-service, the barrier to entry for threat actors has never been lower. Some programs can be purchased and require less technical knowledge than the ones discussed in this article.

Fortunately, there's good and bad software in this world, and there are ample ways you can protect yourself from threats. We'd recommend starting with antivirus software, particularly programs produced by providers that offer ransomware protection.

Pair this with a data security protocol and ransomware incident response that everyone in your company understands, and you'll be in a much better place when it comes to protecting your sensitive information from threat actors.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals