cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

US DOJ charges Venezuelan doctor for use and sale of Thanos ransomware

The US Justice Department (DOJ) on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit-sharing arrangements.

user iconReporter
Wed, 18 May 2022
US DOJ charges Venezuelan doctor for use and sale of Thanos ransomware
expand image

Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the ransomware to other cyber criminals to facilitate the intrusions and get a share of the bitcoin payment.

If convicted, Zagala faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.

According to US attorney Breon Peace the “multi-tasking doctor” treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers on how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran.


The Ransomware-as-a-Service (RaaS) scheme involved encrypting files belonging to companies, non-profit entities, and other institutions, and then demanding a ransom in exchange for the decryption key.

At its core, Thanos is a private ransomware builder that allows its purchasers, known as affiliates, to create their own custom ransomware software, which they could then use or lease to other actors, effectively widening the scope of the attacks.

An analysis by Recorded Future in June 2020 revealed that the builder comes with 43 different configuration options, calling it the first ransomware family to leverage the RIPlace technique to bypass ransomware protection features built into Windows 10.

Some of the options available include the ability to modify the ransom notes, specify the list of file types to be exfiltrated prior to encryption and settings to evade detection and self-delete the ransomware after execution.

Zagala is believed to have advertised the software on darknet cyber crime forums for $500 a month with basic options or $800 with full options, while also recruiting affiliates for the RaaS program.

The DoJ added that around 1 May 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagalas affiliate program.

Zagala responded: Not for now. Dont have spots, before proceeding to license the software to CHS-1 and helping the informant with tutorials on how to use the software and set up an affiliate crew.

Zagala, who received favourable reviews for his ransomware tools, was ultimately traced on 3 May 2022 after identifying a PayPal account belonging to his relative who resides in the US state of Florida, ​​and which was used to obtain the illicit proceeds.

The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming, the DoJ said.

[Related: Election interference scheme reportedly associated with Nauru Police email hack]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.