Cardiologist charged with creating Thanos, Jigsaw ransomware

The U.S. Attorney's Office for the Eastern District of New York announced charges Monday against a cardiologist for selling the prominent ransomware tools known as Jigsaw and Thanos.

Moises Luis Zagala Gonzalez, 55, was charged with attempted computer intrusions and conspiracy to commit computer intrusions. A Venezuelan resident and cardiologist, Zagala is accused of developing and selling the ransomware-as-a-service tools.

Both tools are fairly well known. Jigsaw version 2 is an updated version of the original Jigsaw ransomware -- the latter was not developed by Zagala -- and has a "doomsday" counter that would delete 1,000 files from the victim's computer every time they attempt to restart. Thanos ransomware, which was discovered in 2020, has dozens of configuration options and was notably the first ransomware to advertise that it optionally uses RIPlace, an evasion technique discovered in 2019.

If Zagala is convicted, each charge carries a potential prison sentence of up to five years.

"We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use," said Michael J. Driscoll, assistant director in charge at the FBI's New York field office, in the charges' announcement.

"Our actions today will prevent Zagala from further victimizing users," he said. "However, many other malicious criminals are searching for businesses and organizations that haven't taken steps to protect their systems -- which is an incredibly vital step in stopping the next ransomware attack."

According to the affidavit, Zagala, who is said to go by online aliases "Aesculapius," "Nosophoros" and "Nebuchadnezzar," was charged following a two-to-three-year investigation by the FBI. Investigators discovered the defendant's identity due to forum posts, a file path with his first name on it, and notably a PayPal account connected to a Gmail address that both used Zagala's full name and contained references to the defendant's alleged ransomware services.

The affidavit also referenced an unnamed cryptocurrency exchange account apparently used by Zagala for business purposes, which, after presumably being accessed by the FBI, contained his full name and driver's license information.

Charges came shortly following a May 3 interview that the FBI conducted with a Florida relative of Zagala, which appeared to confirm investigators' suspicions about the alleged ransomware developer's identity.

The FBI did not respond to SearchSecurity's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.