In charges unveiled on Monday by the US Department of Justice (DOJ), a Venezuelan cardiologist was accused with "computer intrusion" for allegedly creating two ransomware strains.
A criminal complaint was unsealed by the DOJ against 55-year-old Moises Luis Zagala Gonzalez that claims he's the author of two ransomware strains called Jigsaw v.2 and Thanos, as per the PCmag report.
The federal investigators revealed that from 2019, Zagala had sold and rented out the ransomware tools to cybercriminals and taught the scammers how to use the programs.
Cardiologists Moonlights as Ransomware Developer
"Zagala provides extensive customer service along with his software, counseling his customers about how most effectively to use his software against their victims," the complaint says, as cited by PCmag.
According to the FBI, Zagala developed Thanos, a ransomware-creation tool named after the Marvel supervillain. Thanos allows users to create their own, custom-made malware for locking up victims' files and extorting money from them, according to The Record.
The DOJ said that Zagala provided extensive guidance on how people can launch ransomware affiliate programs and get the biggest ransom payments from victims.
According to the PCmag, Zagala sold Thanos by renting out the tool through a licensing model. He also created an affiliate program around Thanos. In exchange for a share of profits from each successful ransomware attack, he lets a cybercriminal use the tool.
In addition to creating Thanos, Zagala is also charged of creating a 2.0 version of the Jigsaw ransomware. It was designed to update the older ransomware program, which was created by others.
"If the user kills the ransomware too many times, then it's clear he won't pay so better erase the whole hard drive," Zagala wrote according to the DOJ.
Jigsaw v. 2 had features that allowed the ransomware to delete 1,000 files as punishment if the victim rebooted their system, according to The record.
Read Also: Sports Brand Mizuno Suffers Ransomware Attack, Orders Delayed: Is There A Way to Prevent Malware?
Online Forums Used to Advertise Ransomware
Zagala used online forums used by cybercriminals to advertise Thanos.
"In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that 'once encryption is done,' the ransomware would 'delete itself,' making detection and recovery 'almost impossible' for the victim," DOJ said, as cited by the PCmag.
According to The Record, the DOJ said that Zagala marketed the program profusely on dark net marketplaces, promoting its customizable features and widespread adoption among cybercriminals and nation-state actors.
Zagala even provided a detailed tutorial on how to create an affiliate network. He himself generally had crews ranging between 10-20 members and sometimes as low as 5, an informant told the FBI.
According to the complaint, after they had already broken into a company, hackers often came to Zagala. Then, he would check the access they came with and allow them to deploy the ransomware.
Zagala also offered advice, noting that companies with backups could still be hurt through data exfiltration and that he had helpers who could encrypt backups as well, as reported by The Record.
Zagala's products were well-known among cybercriminals, and the DOJ said it found several reviews for his products that boasted their effectiveness.
Related Article: Conti Ransomware Group Adds Nordex to List of Victims