A Venezuelan Cardiologist has been charged by the US Justice Department as the “mastermind” that created more than one dangerous strain of malware.
Individuals being prosecuted for creating and distributing ransomware is rare, but this hasn’t stopped the DoJ from accusing Zagala of conspiracy to commit computer intrusions.
The charges are in part regarding the doctor’s “private ransomware builder.” The rise of ransomware-as-a-service is a reminder of the importance of ensuring your business is equipped with antivirus software with ransomware protection.
Culprit Caught and Charged
Moises Luis Zagala Gonzalez – the cardiologist in question – is alleged to have produced ransomware used in a number of ultimately successful attacks on businesses.
The 55-year-old, also known by aliases such as “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar,” is a citizen of both Venezuela and France.
According to a statement released by the Department of Justice, Zagala “profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks,” and further “trained the attackers about how to extort victims.”
Officials alleged that he also “boasted about successful attacks, including by malicious actors associated with the government of Iran”.
Zagala’s Movie-Inspired Maliciousness
The most significant piece of malicious code Zagala is said to have created and distributed was “Jigsaw v. 2” a strain of ransomware that’s been in circulation since 2016.
According to the DoJ, Jigsaw v. 2 included a counter that kept track of how many times a user attempted to remove the ransomware. It was notorious for injecting a sense of urgency and distress into victims' decision-making, reminiscent of the eponymous antagonist from the Saw horror movie franchise.
Although there are still many questions to answer, one certainty is that Zagala is quite the movie buff – he also developed a private ransomware builder named after Marvel supervillain Thanos.
Thanos allows amateur ransomware builders to build their own ransomware from scratch and subsequently deploy it or rent it out to other people.
An Insight into Ransomware-as-a-Service
The Thanos ransomware builder included a place for “recovery information,” where a custom ransom note could be readied, and an area to specify what type of files you want to steal.
There was also an “anti-VM” option. VM stands for “virtual machine” – a computer system created using software that can emulate most of the facets and functions of a physical computer constituted in hardware.
Virtual Machines are often used by security researchers as testing environments for ransomware and other malware, so commercially available ransomware that can break out of such an environment is a concerning development.
Zagala’s ‘customers’ were able to purchase the malicious software through two avenues – either they could buy a license for a period of time, or an “affiliate” program where Zagala would hand over the software but take a cut of the proceeds from any ransomware attack orchestrated with it.
If the software was simply licensed, then a link to a server in North Carolina would be maintained to confirm an active license.
Protecting Your Business from Ransomware
The threat of ransomware is scary, present, and growing at a concerning speed – and if your business isn't protected, then you're effectively a sitting duck. With the proliferation of ransomware-as-a-service, the barrier to entry for threat actors has never been lower. Some programs can be purchased and require less technical knowledge than the ones discussed in this article.
Fortunately, there's good and bad software in this world, and there are ample ways you can protect yourself from threats. We'd recommend starting with antivirus software, particularly programs produced by providers that offer ransomware protection.
Pair this with a data security protocol and ransomware incident response that everyone in your company understands, and you'll be in a much better place when it comes to protecting your sensitive information from threat actors.