A 55-year-old cardiologist and self-taught programmer from Venezuela has been making and selling ransomware to cybercriminals around the world, according to US law enforcement.
Zagala Gonzalez, who operates a medical practice and writes malware in his spare time, faces five years in prison if he is arrested and convicted – something US Attorney Breon Peace said would be a win in the fight against ransomware.
“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” Peace said in a statement.
“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use.”
Gonzalez has gone by the aliases ‘Nosophoros’, ‘Aesculapius’, and ‘Nebuchadnezzar’ during his career as a criminal coder, according to newly unsealed testimony from an FBI agent.
He built the notorious Jigsaw ransomware which contained a counter to track how many times a victim tried to remove the malicious software. Once the counter reached a threshold, it would destroy all encrypted files because, in Gonzalez’s words, “if the user kills the ransomware too many times, then it's clear he won’t pay”.
In 2019, Gonzalez allegedly began selling a tool for hackers to design their own ransomware. He called the DIY ransomware program ‘Thanos’ – after the Marvel character whose aim is to destroy half of all life in the universe – and included in it a raft of settings hackers could adjust to suit their own needs.
Ransomware built with Thanos could specify file types for exfiltration, had an option to detect virtual machines in order to evade malware researchers, and could self-destruct if certain conditions were met.
Gonzalez operated a small business using Thanos which he advertised on hacking forums and sold in the form of limited time licenses.
He also operated an affiliate program in which hackers would use Thanos in exchange for some of the profits.
According to the US authorities, Gonzalez would privately coach cyber criminals on the details of running ransomware, mentoring them on things like how to write an effective ransom note, how to configure the program to steal a victim’s passwords, and even just setting up a Bitcoin wallet to receive ransom payments.
Law enforcement tracked Gonzalez down through an FBI agent that pretended to be a client.
The agent said they wanted to join the affiliate program but Gonzalez said he had maxed out on affiliates and was only sharing in proceeds from “a maximum of between 10-20” affiliates at a time.
He explained that typically attackers sought a license for Thanos after they had already infiltrated a network and were looking for a payload to deliver.
In early May, US law enforcement approached a relative of Gonzalez whose PayPal account was being used to launder ransomware proceeds. They were able to confirm Gonzalez's identity and a warrant is now out for his arrest.