The Ransomware Files, Episode 9: Dr. Ransomware, Part 1Why Does the US Allege a Cardiologist in Venezuela Created Ransomware?
The FBI’s most-wanted list for cybercrime has a recent entry: Moises Luis Zagala Gonzalez. He is a 55-year-old cardiologist living in Ciudad Bolivar, Venezuela.
He has a bald head and an earnest smile. In one photo, he wears a doctor's white overcoat and has a stethoscope around his neck.
But U.S. prosecutors allege Zagala led a double life. They claim he's also a cybercriminal (see: Feds Say 'Multi-Tasking Doctor' Built Thanos Ransomware).
Zagala has been charged in federal court in New York with developing ransomware applications called Jigsaw and Thanos. Both infected organizations and companies around the world.
After the charges were announced in May, people who know Zagala took to social media in disbelief, says Ana Vanessa Herrero, a freelance journalist based in Caracas.
“People are pretty shocked,” Herrero says. “Some people replied to that [social media] message saying, 'Oh, my God, this makes no sense because he was my teacher.' Or, you know, 'He was my professor at a college,' or 'He was my doctor.' One guy was, like, 'Absolutely, I'm sure he's not guilty. I'm sure he's not the guy they're looking for.'"
The U.S. government claims Zagala's hacking career started in the late 1990s when we was working under the nickname "Aesculapius," the Latin spelling for the Greek god of medicine. They claim he operated under that nickname while part of an expert reverse software engineering group called High Cracking University.
The nickname Aesculapius pops up again and again on malware and phone hacking forums in the 2010s and beyond. In recent years, the nickname appears on cybercriminal forums in connection with someone selling the Thanos and Jigsaw ransomware.
The accusation that a cardiologist could also be a malware developer is far out of the normal bounds. Could a person conceivably balance a career in cardiology with malware development?
Thomas Holt is a professor in the School of Criminal Justice at Michigan State University. He researches computer hacking and malware and the behavior of those who use the internet for crime.
"The real trick, in my mind, is the fact that for a profession like cardiology - which you would expect involves long hours, tremendous focus - to have the free time after that to be able to be a competent hacker who's developing tools that people are using," Holt says, "that, to me, is the real odd standout in all of the events described."
Who is Zagala, and why does the U.S. think he's a ransomware mastermind? This incredible story will stretch across two episodes. We’ll explore who Moises Zagala is and why the U.S. authorities allege he's a ransomware mastermind.
"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victims to cybercriminals encrypting their data and demanding payment. But IT pros are fighting back, and they have stories of resilience and fortitude.
If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.
If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at firstname.lastname@example.org or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.
Speakers: Alexander Mindlin, Assistant United States Attorney, Eastern District of New York; Lindsay Kaye, Senior Director, Operational Outcomes, Insikt Group, Recorded Future; Thomas Holt , Professor, School of Criminal Justice, Michigan State University; Ana Vanessa Herrero, Journalist; Jeremy Kirk, Executive Editor, Information Security Media Group.
Production Coordinator: Rashmi Ramesh.
- Cyrus Peikari, Anton Chuvakin, Security Warrior, January 2004;
- Dark Ridge, A delayed strainer by Fravia+, July 26, 1999;
- Davide Eynard, HcuStory, June 11, 2014;
- Department of Justice, Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals, May 16, 2022;
- Department of Justice, An amended affidavit and complaint in support of an application for an arrest warrant against Moises Luis Zagala Gonzalez, May 16, 2022;
- Malpedia, Hakbit aka Thanos ransomware, November 1, 2021;
- Nyotron, RIPlace Evasion Technique, Oct. 12, 2020;
- Recorded Future, New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit’, June 10, 2020;
- Security Intelligence, From Thanos to Prometheus: When Ransomware Encryption Goes Wrong, November 1, 2021;
- Talon @ S2WLAB, Quick analysis of Haron Ransomware (feat. Avaddon and Thanos), July 22, 2021;
- Unit 42, Palo Alto Networks, Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa, Sept. 4, 2020;
- ZDNet, Iranian state hacker group linked to ransomware deployments, Oct. 15, 2020;
Jeremy Kirk: In the late 1990s, there was an elite crew of hackers who specialized in what’s called reverse engineering. They called themselves High Cracking University. They took pride in taking apart software binaries, which are executable programs that you’d install on a computer. They’d take the software apart, or “crack” it as they’d say. They were among the best in their world at reverse engineering Windows applications.
And while you could crack software with aim of just not having to pay for it, they weren’t into it for that. They were in it for intellectual sport. And one among their ranks was an expert reverse engineer who went by the nickname Aesculapius. He was smart, and he was one of the highest ranking members of the group.
And while many hackers eventually move on to other things, get different jobs or their skills fade, Aesculapius stayed around. The nickname from the late 1990s pops up on malware forums in the 2010s and beyond. And in May 2022, U.S. prosecutors accused Aesculapius of creating file-encrypting ransomware. Ransomware is a billion-dollar cybercriminal industry. Attackers break into networks, encrypt all of the files and demand a ransom to supply the decryption key. It’s devastating, high-tech crime.
Alexander Mindlin: When it strikes, it's debilitating. At best, it shuts down corporate operations for a period but at worst, it can destroy an institution. It's a giant problem.
Kirk: Much, but of course not all, ransomware activity has a nexus to Eastern Europe and Russia. And usually it involves younger people in their 20s or 30s. That general profile is in part what made the U.S. government’s announcement so intriguing. They allege that Aesculapius’s in-real-life name is Moises Luis Zagala Gonzalez. He’s a 55-year-old cardiologist living in Ciudad Bolivar. It’s a city in southeastern Venezuela that struggles with constant power outages, water supply issues and often protests. Prosecutors claim Moises is a multi-tasking doctor who designed two ransomware tools and trained attackers on how to use them. You could say they’re essentially accusing him of being Dr. Ransomware. The accusation is far out of the normal bounds. Could someone be a cardiologist and a ransomware developer?
Ana Vanessa Herrero: Some people replied to that message saying, "Oh, my God, this makes no sense because he was my teacher," or, you know, "he was my professor at a college," or "He was my doctor." One guy was like, "Absolutely, I'm sure he's not guilty. I'm sure he's not the guy they're looking for." So people are pretty shocked.
Kirk: This incredible story will stretch across two episodes. We’ll explore who is Moises Zagala and why the U.S. authorities think he’s a ransomware mastermind. We’ll also see what he and his family have to say about the allegations.
This is the Ransomware Files. I’m Jeremy Kirk.
In this podcast mini-series, I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victims to cybercriminals encrypting their data and demanding payment. But IT pros are fighting back, and they have stories of resilience and fortitude.
Kirk: Everyone knows the FBI’s most wanted list. But there’s also a most wanted list for people accused of cybercrimes. There’s a new entry on that list: Moises Zagala. His wanted poster has three photographs of him, and the one of him in the middle stands out. He has a bald head, an earnest smile and is wearing a doctor’s white overcoat. He’s even got a stethoscope around his neck.
Why is this guy on this list? When someone is accused of a crime in the United States, the documents are published for anyone to see. Those include indictments, criminal complaints, transcripts and more. You can learn an incredible amount about an ongoing case. In the case of Moises Luis Zagala Gonzalez - and I’m just going to call him Moises for short - what’s available is 20-page affidavit written by an FBI special agent. The document details some of the evidence that the U.S. government alleges against him.
Now, I want to be clear here that the allegations made by the U.S. government have not been tested in court. As they say on American TV, but it’s true - Moises is innocent until proven guilty. If he were to travel to the United States or he was extradited there, he would be entitled to respond to the accusations against him. That would occur in the course of a trial, either by a jury or by a judge. No part of this podcast should be taken as implicating his guilt.
The FBI’s affidavit is dense and intensely interesting. It’s written by Chris Clarke, who identifies himself as a special agent focused on cybercrime, financial crime and money laundering. It’s full of details about Moises’ alleged hacker past, the long trail that led to the current accusations and startling errors in operational security.
Alexander Mindlin is the assistant U.S. attorney for the Eastern District of New York, which is the federal court where Moises would face trial. Alexander will prosecute the case.
Mindlin: Moises Zagala is a cardiologist in his mid-50s, who lives in Ciudad Bolivar in Venezuela, and has a has a cardiology practice there. And in addition to being a cardiologist, he has charged in the government's complaint, he also designs, sells and rents and licenses out ransomware. He's accused of conspiring with users of his ransomware to carry out ransomware attacks on victim networks. He has created a series of malicious tools, but relevant to us is a tool called Thanos, and a tool called Jigsaw version two. The conduct that he's charged with is knowingly helping cybercriminals use his tools in return either for a licensing fee or for a share of the profits. And in fact, he's charged with being the head of a group of ransomware attackers who use his use his software as affiliates in return for a licensing fee.
Kirk: To get to where this criminal case is today, we have to start in the past. In fact, all the way back to the late 1990s, in the early years of the commercial internet. Who is or was Aesculapius? Well, he has been actually around for a long time. Everyone is familiar with the staff or rod of Aesculapius. The staff has serpent entwined around it, and is a symbol that’s incorporated into that of many medical organizations around the world.
Aesculapius was quite active in that High Cracking University group. Surprisingly, there’s quite a bit about the group floating around on the internet even today. They were master reverse engineers. Solving big, tough problems. They were also big on sharing the knowledge with others and pushing that knowledge forward. It was called a university, after all. And to them, it wasn’t just dissecting software. It was an art.
Aesculapius was one of the highest ranking members of the group. The person behind the nickname was sharp, highly technical and wrote in fluent, beautiful English with only the occasional grammatical error. His presence was so valued within the group that in 1998, he was trusted with one of High Cracking University’s annual challenges. It was called The Strainer. It was a series of four reverse engineering challenges. Those who solved the challenges would be admitted to High Cracking University.
And instead of say, money or a prize, those who solved the strainer in innovative ways were allowed to put a plus sign in front of their nickname. That was the sign of honor that indicated to other they were now part of the elite group. In late 1998 after that year’s Strainer had been completed and the winners selected, Aesculapius congratulated those who solved the challenges.
Aesculapius: Welcome to the +HCU. I know you are already elite crackers. You have gained your admission to our university; from this day we will share cracking knowledge constituting the most valuable and unique feedback between the best crackers in the scenario. You can now proudly wear the ‘+’ sign before your names.
Kirk: What’s remarkable about Aesculapius is his emphasis on education. He was meticulous, polite and held very high standards when it came to judging what participants submitted. He cared about the craft, and not just the endpoint of cracking software, but how one got there.
To be a reverse engineer capable of solving Aesculapius’ challenges, you needed to know Windows and software engineering really well. That included analyzing assembly language, system memory manipulation, anti-debugging techniques and tangling with encryption systems. Those skills could certainly be ported to other types of software development. Maybe even ransomware.
As Alexander said, the U.S. government claims that Moises developed Jigsaw version 2, which was a standalone ransomware program. They also claim he developed Thanos, which is what’s called a ransomware builder. A ransomware builder is an application that actually creates new variants of ransomware that can be deployed on a victim’s network. Lindsay Kaye is an expert malware analyst and senior director with computer security firm Recorded Future. She co-authored a report on Thanos that was released in June 2020. I asked Lindsay what she thought about the code’s quality. I want to make a note here as well about Lindsay’s response. When chatting about Thanos, we often referred to its developer using the pronoun “he” inadvertently. That’s not intended to mean the developer is Moises. Again, that is an accusation that is being made by the U.S. government.
After taking a look at the code, would the person who designed Thanos likely be able to get a job as a software programmer? Or to put it another way, how good was this sort evil code?
Lindsay Kaye: There's at least some software engineering skill set and principles there. So at least at a basic level, he could probably be a software engineer. It's really hard to tell if just he wrote this, or if he didn't kind of start with another skeleton of code, or you didn't get a lot of examples off the internet. Because right now, we have access to so much available, could he have taken a bunch of pieces of code? Did he just know enough to cobble them together or did he write all of the code on his own? So it's a little hard to say there, but clearly, he is not incompetent in the ability to put together code and make it work.
Kirk: There’s yet another Greek mythology theme running here well. The name Thanos may be derived from a destructive Marvel comic character who originated from a moon of Saturn. It also might be derived from Thanatos, a figure in Greek mythology associated with death. Moises is accused of actually licensing the Thanos client itself to customers - they’re called affiliates in the ransomware parlance, kind of similar to affiliate marketing. Lindsay explains that isn’t quite the usual way it works in the ransomware business.
Kaye: Generally, ransomware-as-a-service program works like this: you gain access to the affiliate panel. The ones where you don't get the builder yourself, you would log on to access and pick all the configuration options. So for things like BlackMatter, or an Alphv - if you've heard of those, that's an example there. You pick all your configuration options, you hit build and then out comes the build for you. So you don't have it on your own machine to build it. But you do obtain those builds, which theoretically are unique and built to your kind of custom affiliate configurations.
Kirk: To put it another way, you just order up your ransomware malware like the way, say, you’d order a pair of sunglasses online. Tick the things you want in the check boxes - polarized, grey tint - and away you go. There were more than 40 configuration options in Thanos. But what Moises is accused of selling is not only the sunglasses, but also the machine that makes the sunglasses - which in this example is the ransomware builder.
Thanos was easy to use, which was also appealing to those less technical cybercriminals since it didn’t use just the command line. Command line applications don’t have graphical user interfaces, or GUIs, which is how most of us use software. To make command line applications run, you have to know the right commands and enter those on the command line; there are no easy drop-down menus. And of course they’re inherently more difficult to use if you don’t know the commands. Here’s Lindsay again.
Kaye: People aren't necessarily going to want to buy a builder that is all command line, especially if they're getting into ransomware. And they're not already super technically competent, right? So if they're not able to understand how to use those things, they want that nice GUI that's easy to use, easy to understand, pick which features you want - really configure it that way.
Kirk: Thanos was brilliantly simple. It had a text box in the GUI where you could write a customized ransom note. You also could add your own creepy, menacing graphic. It had a bunch of features designed to ensure its own success by thwarting security or analysis tools used by researchers. For example, it could kill processes affiliated with traffic analysis tools such as Wireshark and Firesheep. It had capabilities to avoid running in virtual machines. Virtual machines are often use by malware analysts to safely look at dangerous applications. Malware creators know this happens, so they often code their malware to look for signs this may be happen and just stop running.
Aesculapius also put a unique feature into Thanos that wasn’t in a lot of other types of ransomware. It was called RIPlace. In November 2019, a security company called Nyotron discovered a technique that could allow ransomware to slide past security products. Those are designed to close watch changes to files and then stop any actions that appear malicious. But the RIPlace technique allowed for modification and encryption of the Windows file system in a way that endpoint protection products missed. Just two months after Nyotron released its findings, the feature had been wrapped into Thanos. On one of the forums where Thanos was sold, a person going by the nickname Nosophoros - one of the nicknames the U.S. government claims is Moises - touted the technique as an advantage of Thanos. Recorded Future said Thanos was the first ransomware family to advertise the use of the RIPlace technique. It showed that whomever developed Thanos was even keeping up with new research to make more resilient ransomware.
Kaye: I think one of the most significant and interesting aspects of this is that we talk a lot about what threat actors have access to on the dark web. But this is something that researchers are putting out. So it's very interesting to see somebody now taking research that we, as security researchers, are putting out, and then implementing it. And I think this is just a great example that really underscores that idea. So they have access to the same things that we do. So how are we detecting them? What are we looking for? What are the indicators that are interesting to us? And here's just a really great example of that in practice.
Kirk: Thanos spawned many ransomware variants. Those variants - or sort of children of Thanos - went by names like Prometheus, Haron, Spook, Hakbit, Midas. They ended up infecting businesses and organizations around the world throughout last year: Peru, Mexico, Canada, Chile, Brazil, Italy, France. There was even a report that an Iranian state-sponsored hacking group nicknamed MuddyWater had used Thanos. The Justice Department complaint even alleges that Moises boasted about that use of Thanos on one forum.
All of the activity around Thanos raise alarms. Many computer security companies, including Palo Alto Networks, ZScaler and IBM’s Security X-Force, wrote analyses of Thanos since it appeared to have notable uptake by cybercriminals.
Aesculapius was a quite an active developer. On one forum, the person wrote to customers, assuring them that “I have been developing malware for many years and update my products on a daily basis.” Aesculapius regularly posted updates on improvements and changes to Thanos. Software developers usually publish what’s called a “changelog,” which is a running list of modifications.
On Dec. 1, 2019, Aesculapius writes: “Code to cripple several antivirus products. Code to erase shadow copies created by third party products.”
Kirk: Shadow copies are backups, and ransomware actors often try to erase those backups to make it more likely victims will have to pay them for a key. On Dec. 14, 2019, Aesculapius noted some more improvement: “Encryption speed significantly improved. Only a few minutes needed to have encrypted a full hard drive.”
These improvements to Thanos obviously took time. Could a person conceivably balance a career in cardiology with malware development? Thomas Holt is a professor in the school of criminal justice at Michigan State University. He researches computer hacking and malware and the behavior of those who use the internet for crime. I asked him about the seemingly contradictory premises that the U.S. Justice Department has outlined.
Thomas Holt: The real trick, in my mind, is the fact that for a profession like cardiology, where you would expect long hours and tremendous focus, you have the free time to be able to be a competent hacker who's developing tools that people are using. That, to me, is the real odd standout in all of the events described.
Kirk: Software development isn’t easy, neither is cryptography. Mistakes by ransomware developers have sometimes allowed security researchers to unlock the files of victims. They’re considered small wins in a fight where the ransomware actors usually have the upper hand. And researchers found mistakes in Thanos. The mistakes would probably irritate a meticulous, precise person like Aesculapius.
As mentioned before, Thanos had a variety of selectable options. One of those options was to use a static password to create an AES symmetric key that would be used to encrypt files on a victim’s system. That static password was used along with what’s called a “salt” to generate the encryption key. Salt in cryptography terms refers to a random value. So the password and the salt were used together to create the AES encryption key. But the problem is that the static password was actually left in the ransomware client itself, which meant it was recoverable. Lindsay explains.
Kaye: If it's baked into the file, and a reverse engineer looks at it, they just have to figure out what the salt is. So if the defender gets the ransomware, and they're able to figure out what that symmetric key is, then they can decrypt the files.
Kirk: IBM’s X-Force team also spotted another error. It was a weakness in the key generation algorithm. They analyzed a variant called Prometheus that was generated by Thanos. Prometheus’ problem was that when it created an encryption key, it failed to use a truly random value as the seed. So, let’s unpack what that means. In the process of creating an encryption key, Prometheus used a value called a seed. It’s supposed to be a random number. It may seem easy to pick a random number, but generating long random numbers is quite hard because creating those numbers often means starting with some other value or formula. To create a so-called random number, Prometheus used the number of milliseconds that had elapsed since a particular computer had started as the seed value. That gave researchers a chance: calculate the right seed value and the correct key to decrypt files could be revealed. IBM was able to create a decryptor that ended up helping some victims. It doesn’t mean that whomever designed Thanos was a poor developer. Lindsay says that cryptography is difficult to get right. But it meant a lucky break for some victims.
Kaye: A lot of really what makes crypto good is that key. So if you're able to guess that key, then the crypto is not really going to protect what you think it is. Other threat actors seem to make some mistakes there. So while that's good for defenders, it's not something that I would necessarily bank on.
Kirk: Since U.S. prosecutors announced their case against Moises, I’d been trying various ways to try to get in touch with him. That involved contacting old Jabber chat nicknames and email addresses linked with some of the nicknames in the criminal complaint. I found a lot of material online. In fact, reams of it. And to be honest, I still don’t think I’ve uncovered everything affiliated with the nicknames, particularly Aesculapius. The nickname seems to pop up again and again on forums associated with phone hacking tools, software modification and malware. I needed to find Moises and see if he’d answer some questions. What’s his relationship with computers? Why would the U.S. think he’s a ransomware mastermind? How did he end up becoming a cardiologist? And of course, what’s his response to the allegations?
None of chat handles or email addresses in the forum posts I found got me closer to Moises. But I had another idea. The criminal complaint had a Gmail address associated with Moises’ alleged PayPal account. I remembered that on PayPal, you could send a note along with money. I sent $13.37 in U.S. dollars plus a note that asked if whomever received it could get in touch. Some of you listening are probably already smiling at the amount. The number 1337 is numerical shorthand for L-E-E-T, or Leet. Leet is an abbreviation for the word “elite.” In hacker speak, 1337 became the numerical representation of that compliment. I hoped somebody would recognize the amount and maybe have a chuckle and hopefully reach out. But unfortunately, no one responded, probably because the FBI now controls the account. I really just needed to find somebody on the ground in Venezuela.
Herrero: When I read the indictment, I was like, "whoa!" You know, I was picturing this evil genius. And it's actually just like a genius.
Kirk: That’s Anna Vanessa Herrero. She’s a top-notch journalist based in Caracas, who has reported for The New York Times and The Washington Post. She’s been tracking down Moises, his family, his friends - even his patients.
Herrero: What I can see here, from the Venezuelans who live outside, is that people are very like, "wow, what just happened, he can't be the guy." Everyone tweeting about this news was very surprised.
Kirk: By all appearances, Moises is a respected person in the community. He appears to be married to a kidney doctor named Rossany. He’s been working at a private clinic in Ciudad Bolivar. We managed to find some of his brothers. There’s Guillermo, who’s a dental specialist in Caracas; Carlos, who appears to specialize in forensics with the national police; and Gustavo, who is a lawyer in Miami. We started trying to contact them. When you look at a photo of Guillermo Zagala, he and Moises resemble one another. Ana reached out to Guillermo, and we chatted afterwards.
Herrero: I need to tell you what happened today. Um, I contacted Guillermo.
Kirk: Oh great. What…what…did he have to say?
Herrero: I said that you and I were working on this. He immediately attacked me.
Kirk: Next time on The Ransomware Files. Dr Ransomware: Part 2.
Guillermo Zagala: “You really must believe that we are stupid or we don't have enough to eat. Do me the favor of bothering me more. I'm going to file a complaint for harassment.
De verdad ustedes deben creer que nosotros somos estupidoes o no tenemos para comer hagame el favor de molestar mas ya voy a ponerle una denuncia por acoso.
Herrero: Wait, wait. Say that again. She says that his email had been hacked, and that somebody else is using his identity for all of this stuff?
Mindlin: I mean, the one detail that I think is relevant is that as stated in the complaint, that there are border protection records about Zagala’s entry into the U.S. The literal guy is linked to the literal email address through his physical passage across U.S. borders.
This episode of The Ransomware Files was written, researched, edited and produced by Jeremy Kirk. It was also researched and reported by Ana Vanessa Herrero on the ground from Caracas. The production coordinator for The Ransomware Files series is Rashmi Ramesh. The Ransomware Files theme song and other original music in this episode are by Chris Gilbert of Ordinary Weirdos Records, myself and India Kirk.
If you enjoyed this episode of The Ransomware Files, please share it and leave a review. It will help keep this project going. The series has its own Twitter handle @ransomwarefiles, which tweets news and happenings about ransomware. I’m on Twitter at jeremy_kirk. If you would like to participate in this project or have an idea for it, please get in touch. The project is looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.