55-Year-Old Venezuelan Doctor Turned Out to Be the Author of Jigsaw and Thanos Ransomwares

Jigsaw and Thanos ransomware
Written by Emma Davis

U.S. authorities said Moises Luis Zagala Gonzalez, a 55-year-old cardiologist of French and Venezuelan citizenship living in Venezuela, created and rented out the notorious Jigsaw and Thanos ransomware ransomware to other hackers.

Let me also remind you that we reported that the US State Department Announces $10 Million Reward for Information on Sandworm Hackers.

According to the US Department of Justice, Zagala, who used the aliases Nosophoros, Aesculapius and Nebuchadnezzar online, not only rented out his malware, but also offered support and training to cybercriminals, and then shared profits with them – ransoms received from victims around the world.

Jigsaw and Thanos ransomware

The multitasking doctor treated patients, created and named his cybertool after death, capitalized on the global ransomware ecosystem by selling ransomware attack tools, taught attackers how to extort money from victims, and then boasted of successful attacks, including perpetrated by hackers linked to the Iranian government.US Attorney Breon Peace said.

It should be noted that the Jigsaw ransomware has not been active since the fall of 2021, and even at that time its activity was very low. In addition, a free decryptor is available for it, created by Emsisoft experts.

Thanos, in turn, worked on the Ransomware-as-a-Service model (“Ransomware-as-a-service”, RaaS) and was advertised on Russian-language hacker forums. The malware allowed Zagala’s partners to create their own ransomware using a special constructor.

Jigsaw and Thanos ransomware
Thanos Builder

Bleeping Computer notes that Nosophoros not only operated an affiliate program in which cybercriminals shared profits from ransomware attacks with him, but also licensed Thanos using a license server hosted in North Carolina.

According to ID-Ransomware, Thanos activity almost ceased to appear in February 2022, and the malware builder leaked to VirusTotal in June 2021.

Jigsaw and Thanos ransomware

Journalists also remind that some samples of Thanos were previously marked as Prometheus, Haron and Hakbit malware. This was due to various extensions used by the associates of the Venezuelan doctor. However, researchers from Recorded Future have long noticed that this is the same malware.

Based on code similarity, string reuse, and key features, we believe with a high degree of certainty that the ransomware samples tracked as Hakbit were created using the Thanos ransomware builder developed by Nosophoros.the experts wrote.

US authorities report that in May 2022, law enforcement agents were able to definitively link Zagala to the Thanos attacks when they interviewed one of his relatives, who received part of the illegal extortion proceeds using a PayPal account.

The man also gave investigators contact information stored on his phone, which Nosophoros used to register part of the infrastructure for Thanos.

If convicted, Zagale faces up to five years in prison for attempted computer network intrusion and five years in prison for conspiracy to intrude on computer networks.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply