Cardiologist facing charges for developing infamous Thanos and Jigsaw ransomware

jigsaw_ransomware_thumbnail

A French cardiologist is finally being charged for developing ransomware. 55 year old Moises Luis Zagala Gonzalez, a resident of Venezuela has been identified by police. The suspect was identified using his own obvious trails, and with help from his relative. The relative in question was part of the operation, receiving proceeds from the ransom on a paypal account.

About Jigsaw and Thanos

Not much is yet known about the beginnings and motives of Zagala. What is known is that the ransomware he created was extremely dangerous and caused significant damage globally. Jigsaw 2.0 is the first ransomware developed by Zagala. It was an updated version of the original jigsaw ransomware that first launched in April of 2016. The program original program was only developed within a week. Jigsaw spread through malicious attachments that were distributed through spam emails. Only users that downloaded the attachment were affected. Following the download of the attachment, the malware code would execute and encrypt all the files. Users would get a popup window asking them to pay to decrypt their files.

Zagala created his next ransomware a few years down the line, in 2020. Thanos worked a bit differently, being a paid ransomware sold on the dark-net. Thanos allowed users deploying it to modify the program to fit their needs. Thanos was famously used to attack government infrastructure in North Africa, and the Middle East. Any proceeds received from the ransom were split between the actors deploying it, and Zagala. In 2021, VirusTotal released the ransomware constructor for Thanos, putting an end to its legacy.

Finding the Creator

According to an affidavit released by the DOJ, Zagala was not a hard target for law enforcement to hit. Despite that, investigation into him lasted 2-3 years. The crimes he committed were done carelessly, leaving many trails pointing to his direction. Notably he used many aliases online, including "Aesculapius", "Nosophoros" and "Nebuchadnezzar". Investigators found a file path in one of his posts containing his real name. The paypal account used by Zagala was also linked to a Gmail address containing his real name. The Gmail account also contained many references to the ransomware.

Zagala Venezuelan ID screenshot

In May of 2022, investigators confirmed Zagala's link after interviewing one of his relatives. The relative being interviewed received some of the proceeds on a paypal account he owned. Zagala's relative was quick to point to his direction. He also showed the investigators important contact information that was on his phone. That information was reportedly used to register restructuring used for Thanos.

Conclusion

Zagala is expected to be tried in a New York court some day in the future. He is currently not in custody. If tried, he is facing up to 10 years in prison for attempted computer intrusion and for conspiracy to commit computer intrusions. Zagalas arrest comes as no surprise considering the severity of his crimes and the obvious trails left behind.

Comment

Captcha