As per the news floating around the internet, it claimed that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship who lives in Ciudad Bolivar, Venezuela, designed and rented Jigsaw and Thanos ransomware to hackers, according to the US Department of Justice. Zagala also aided hackers who purchased the software and split the earnings made from ransoming victims all around the world.
The Jigsaw ransomware includes a “Doomsday” counter that deletes a particular number of files from victims’ disks every hour until the ransom is paid, with the number of files deleting growing with each reset. Jigsaw hasn’t been active since the fall of 2021, and even then, it was extremely inactive. Emsisoft has released a Jigsaw ransomware decryption.
According to the sources, we came to know that the Thanos ransomware is a Ransomware-as-a-Service (RaaS) business that has been marketed on Russian-language hacker forums. Affiliates can use a builder provided by the malware producer to customize their ransomware. Zagala also licensed the Thanos virus using a licensing server he housed in Charlotte, North Carolina while running an affiliate network where thieves shared their ransomware revenues.
Furthermore, the ransomware constructor was leaked on VirusTotal in June 2021, and the ransomware strain stopped showing up in ID-Ransomware submissions in February 2022. Because of the multiple encryption extensions used by affiliates, some Thanos ransomware samples have previously been labeled as Prometheus, Haron, or Hakbit ransomware. However, the Insikt Group at Recorded Future revealed that they are the same malware.
Zagala also openly described how his clients” utilized his tools in ransomware operations, including by referring to a news story about an Iranian state-sponsored hacking outfit using Thanos to attack Israeli companies, according to the DOJ press release.
As per the sources, from the interview session with one of Zagala’s cousins who acquired some of the ransomware operation’s unlawful gains through a PayPal account, law enforcement investigators linked him to the Thanos ransomware operation in May 2022. This person also handed them his phone’s contact information, which the defendant utilized to register some of the Thanos ransomware’s malicious infrastructure. Zagala faces up to five years in jail if convicted of attempted computer intrusion and five years in prison if convicted of conspiracy to commit computer intrusions.
