Security News > 2022 > May > US links Thanos and Jigsaw ransomware to 55-year-old doctor
The US Department of Justice today said that Moises Luis Zagala Gonzalez, a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.
"As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran," said US Attorney Breon Peace.
Some Thanos ransomware samples have previously been tagged as Prometheus, Haron, or Hakbit ransomware due to different encryption extensions used by affiliates.
"Based on code similarity, string reuse, and core functionality, Insikt Group assesses with high confidence that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros," Insikt Group said.
According to today's DOJ press release, Zagala allegedly publicly discussed how his "Clients" used his tools in ransomware attacks, "Including by linking to a news story about an Iranian state-sponsored hacking group's use of Thanos to attack Israeli companies."
In May 2022, law enforcement agents linked Zagala to the Thanos ransomware operation after interviewing one of his relatives who collected some of Zagala's illicit proceeds from the ransomware operation using a PayPal account.
News URL
Related news
- Ransom Cartel, Reveton ransomware owner arrested, charged in US (source)
- US accuses man of being 'elite' ransomware pioneer they've hunted for years (source)
- Alleged Karakut ransomware scumbag charged in US (source)
- US Marshals Service disputes ransomware gang's breach claims (source)
- Iran Cyber Attack: Fox Kitten Facilitates Ransomware in US (source)
- US sanctions crypto exchanges used by Russian ransomware gangs (source)