CARACAS – New York prosecutors charged Venezuelan cardiologist Moisés Luis Zagala González this month with designing and licensing malware used by cybercriminal groups, including some with ties to the Islamist regime of Iran.
Ever since it rose to power, the Bolivarian Revolution has maintained strong ties with the Iranian regime, to the point that now Iran is one of the countries that dictates Venezuela’s foreign policy, alongside China and Russia. In more recent times, socialist dictator Nicolás Maduro has received increased support from Iran, including palliative oil shipments to deal with the country’s severe gasoline shortages and deals with Iranian companies to repair Venezuela’s refineries after the socialist regime’s mismanagement has left them in ruins.
Prosecutors say Zagala boasted of his clients, including a group that allegedly attempted to use his software to target Israeli companies.
Zagala, based in Ciudad Bolivar, Venezuela, allegedly goes by the online aliases of “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar” to sell ransomware tools known as “Thanos” and “Jigsaw v.2,” both named after villains from comic book and movie franchises, respectively.
Ransomware is a type of computer virus that locks the files of a victim’s computer (or entire network) via encryption, preventing their access unless the victim pays a ransom fee to the attacker in exchange for an unlock key. Generally, the payment is demanded in the form of cryptocurrencies such as bitcoin.
In many cases, ransomware comes alongside a strict countdown timer to further exert pressure on the victim and coerce them into paying the attacker before the time is up. If the victim refuses to pay or the timer runs out, then the files remain encrypted and lost unless specialized decryption tools are available for that particular ransomware.
“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, [and] profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks,” Breon Peace, United States Attorney for the Eastern District of New York, said on May 16, explaining some of the charges.
According to Peace, Zagala “trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran.”
“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use,” FBI official Michael J. Driscoll added.
According to the affidavit issued by the Eastern District of New York, Zagala’s malicious activities began in 2019, where he began selling his “Thanos” tool, which allows its users to create tailor-made ransomware to attack victims. Zagala would allegedly use his online aliases to advertise his malicious software, while boasting about its effectiveness and showcasing examples of its victims.
The FBI estimates that at least 38 copies of the Thanos ransomware tool were sold.
The other malicious software, dubbed “Jigsaw v. 2,” would track how many times the victims attempted to disable or remove it via a ‘doomsday clock,’ punishing victims by permanently deleting up to 1,000 files from the victim’s hard drives. The malicious tool also has the ability to steal the victim’s passwords and credit card information.
The affidavit also includes evidence of Zagala’s malware being used by the Iranian group MuddyWater (a contractor of the Islamic Revolutionary Guard Corps, a United States-designated terrorist organization) against Israeli companies ClearSky and Profero in 2020. These attacks were thwarted before any harm could be done.
Zagala’s malicious software was allegedly distributed under a ransomware-as-a-service (RaaS) modality, in which Zalaga would charge a monthly license fee to his buyers (estimated to be between $500 to $800). In exchange, the buyers would receive extensive support from Zagala in the use of the malicious tools. In certain cases, Zagala would enter in ‘affiliate agreements’ with purchasers of his services, in which he would receive a cut from the money extorted from the victims as payment.
U.S. authorities deem Zagala’s case unusual, as his age and career do not follow the usual stereotypical pattern observed in cybercriminals.
If convicted, Zagala faces up to five years in prison for attempted computer intrusion and another five years for conspiracy to commit computer intrusions.
The probability of Zalaga being apprehended by Venezuelan authorities and extradited to the United States to face his charges is, however, close to zero. While an extradition agreement between the United States and Venezuela has existed since 1922, Venezuela is one of the countries that does not respect its extradition treaties with the United States, given the animosity of the socialist regime towards America — more so in recent years.
Christian K. Caruzo is a Venezuelan writer and documents life under socialism. You can follow him on Twitter here.