Cybercrime , Fraud Management & Cybercrime , Ransomware

The Ransomware Files, Ep. 10: Dr. Ransomware, Part 2

A Cardiologist Stands Accused of Being a Ransomware Kingpin. But Is He the Victim?
The Ransomware Files, Ep. 10: Dr. Ransomware, Part 2

Is a practicing cardiologist living in Venezuela also a ransomware mastermind? If U.S. prosecutors are to be believed, Moises Luis Zagala Gonzalez is a cybercriminal polymath.

He's on the FBI's Most Wanted list for cybercrime, but people who know him say the accusations cannot be true. Zagala is charged in federal court in New York with developing ransomware applications called Jigsaw and Thanos that infected organizations and companies around the world between April 2019 and March 2021 (see: Feds Say 'Multi-Tasking Doctor' Built Thanos Ransomware).

But Zagala's wife says there's a reason for her husband's predicament. How does the evidence the U.S. government revealed so far stack up against her claim? The second part of the "Dr. Ransomware" episode looks at the evidence.

After the charges were announced against Zagala in May, many Venezuelans took to social media to describe their shock, including his wife, Rosanny.

"We are in shock but seeking legal advice both here and in the USA to defend ourselves," she writes in a message circulated on WhatsApp. "Moises had his email accounts hacked a few years ago, and apparently they were used along with his identity to scam.

"With the greatest respect, I clarify that Moises is a man of integrity, a family man, with values and principles who would never lend himself to such acts. God willing, we'll get the right legal team to clear his name."

The U.S. government has revealed some of the evidence it holds in a criminal complaint. It revolves around email, PayPal and a cryptocurrency account. The government also has personal information Zagala provided to Customs and Border Protection when he entered the United States.

Tony Martino is director of the Northeast Cybersecurity and Forensics Center at Utica University in New York. A digital forensics expert with more than 20 years of experience, he says the user attribution evidence released so far is "flimsy."

"I'm not trying to create Moises Zagala's defense for him," Martino says. "And I'm not willing to say it's not him. There's just too much here. It seems too difficult for this to be exactly true the way it's written. Could anyone this smart be that sloppy? And it seems like the answer is 'No.'"

"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victims to cybercriminals encrypting their data and demanding payment. But IT pros are fighting back, and they have stories of resilience and fortitude.

If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.

If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.


Speakers: Alexander Mindlin, Assistant United States Attorney, Eastern District of New York; Anthony Martino, director of the Northeast Cybersecurity and Forensics Center at Utica University; Thomas Holt, Professor, School of Criminal Justice, Michigan State University; Ana Vanessa Herrero, Journalist; Jeremy Kirk, Executive Editor, Information Security Media Group.

Production Coordinator: Rashmi Ramesh.

Special thanks to Ana Vanessa Herrero in Caracas for reporting and research that contributed to this episode. Special thanks to Alexandra Perez, David Perera, Tom Field, Mathew Schwartz and Anna Delaney for other production assistance. Thank you to Intel471 for sharing cybercrime intelligence useful for this episode.

The Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Records. Other original music in this episode by Chris Gilbert, Finley Kirk and Jeremy Kirk. Additional music by and


  • Cyrus Peikari, Anton Chuvakin, Security Warrior, January 2004;
  • Dark Ridge, A delayed strainer by Fravia+, July 26, 1999;
  • Davide Eynard, HcuStory, June 11, 2014;
  • Department of Justice, Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals, May 16, 2022;
  • Department of Justice, An amended affidavit and complaint in support of an application for an arrest warrant against Moises Luis Zagala Gonzalez, May 16, 2022;
  • Malpedia, Hakbit aka Thanos ransomware, November 1, 2021;
  • Nyotron, RIPlace Evasion Technique, Oct. 12, 2020;
  • Recorded Future, New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit’, June 10, 2020;
  • Security Intelligence, From Thanos to Prometheus: When Ransomware Encryption Goes Wrong, November 1, 2021;
  • Talon @ S2WLAB, Quick analysis of Haron Ransomware (feat. Avaddon and Thanos), July 22, 2021;
  • Unit 42, Palo Alto Networks, Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa, Sept. 4, 2020;
  • ZDNet, Iranian state hacker group linked to ransomware deployments, Oct. 15, 2020;

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.