The 55 year old cardiologist Moises Luis zagala Gonzalez (zagala) has French and Venezuelan citizenship, Ciudad Bolivar, who currently lives in Venezuela, created and leased jigsaw and thanos blackmail software to cybercriminals, the U.S. Department of Justice said today**
Zagala's network name also includes nosophoros, Aesculapius and Nebuchadnezzar. He supports cybercriminals who buy malware and divides the ransom.
U.S. prosecutor Breon peace said: "as alleged, in addition to treating patients, the multi-functional doctor created and named his network tool after death, benefiting from a global extortion software ecosystem, in which he sold tools for extortion software attacks, trained attackers on how to extort victims, and then boasted about successful attacks, including malicious actors related to the Iranian government".
"The allegations against zagala include not only the hackers who created and used these products, but also the hackers who blackmailed them," said zagala.
Jigsaw blackmail software includes a "doomsday" counter, which will delete a certain number of files from the victim's drive every hour until the ransom is paid, and the number of files will increase after each reset.
Jigsaw hasn't been active since the fall of 2021, and even then, activity was really low. Emsisoft provides a decryptor for jigsaw ransomware.
Thanos ransomware is a ransomware as a service (RAAS) operation promoted on Russian speaking hacker forums. The malware allows alliance members to customize their own ransomware using the builder provided by the developer.
Although zagala runs a coalition program where cybercriminals will share the profits of their ransom software, he also licenses thanos malware using the license server he hosts in Charlotte, North Carolina.
The blackmail software stopped appearing in the submission of ID ransomware in February 2022, and the builder of the blackmail software was leaked on VirusTotal in June 2021.