Ransomware allegedly sold by a Venezuelan-French doctor would encrypt information on the computers that had been hacked, then the attackers would demand money to decrypt it
– Copyright AFP/File JEFF KOWALSKY
A French-Venezuelan cardiologist was accused Monday by the US of selling ransomware to cybercriminals and instructing them on how to extort money from the victims they hacked.
The Brooklyn district attorney’s office said Moises Luis Zagala, 55, who lives in the Venezuelan city of Ciudad Bolivar, “not only created and sold ransomware products to hackers, but also trained them in their use.”
It said the French-Venezuelan doctor “sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran.”
The ransomware would encrypt information on the computers that had been hacked, then the attackers would demand money to decrypt it.
One of the first products developed by Zagala was a data hijacking program called “Jigsaw v. 2”, which had a “doomsday” counter that kept track of the times the user had tried to destroy it.
“If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” Zagala instructed his clients, according to the US authorities.
In early 2019, Zagala began advertising his new tool on the web, a “Private Ransomware Builder” which he named “Thanos” after the Marvel Comics villain responsible for destroying the half of life in the universe, as well as Thanatos in Greek mythology, associated with death.
The “multi-tasking doctor,” as the Brooklyn DA described him, allowed criminals to either buy the program — and create their own customized ransom notes — or to join an “affiliate program” to gain access to the program in exchange for a share of the ill-gotten gains, which could be paid in cryptocurrency or regular cash.
His preferred aliases were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” which means “sickness” in Greek.
Zagala allegedly boasted in specialized hacker forums that the Thanos program was practically undetectable by antivirus programs and that once the encryption was finished the program would self-delete, making it almost impossible for the victim to be able to detect it and retrieve their documents.
Zagala even asked his clients “if you have time and it’s not too much trouble” to rate their experience online.
If found guilty, he could be sentenced to 10 years in jail.