DOJ accuses heart specialist of designing, promoting ransomware

The US Department of Justice announced this week that it had unsealed a federal complaint against a Venezuela-based cardiologist regarding allegations around his use and sale of ransomware.

According to the agency, Moises Luis Zagala Gonzalez allegedly designed ransomware tools and then sold or rented them to hackers.

“We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use,” said Michael J. Driscoll, assistant director-in-charge of the Federal Bureau of Investigation’s New York Field Office.

“Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven’t taken steps to protect their systems – which is an incredibly vital step in stopping the next ransomware attack,” Driscoll added.


Ransomware has bedeviled organizations in all industries, especially the healthcare sector. As outlined in the criminal complaint, Zagala allegedly contributed to the issue by proving bad actors with multiple varieties of ransomware technology.

Zagala’s products allegedly included a tool called “Jigsaw v. 2,” which had a so-called “doomsday counter” tracking users’ attempts to eradicate it.

He also is accused of advertising a “Private Ransomware Builder” known as “Thanos,” apparently a reference to the Marvel villain. This software is said to enable the construction of unique ransomware, which criminals could either use or rent out.

The DOJ alleges that criminals could buy a “license” to use the software for a certain period of time, or join an “affiliate program” that allegedly involved profit-sharing with Zagala from any ransomware attacks using it.

“In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that ‘once encryption is done,’ the ransomware would ‘delete itself,’ making detection and recovery ‘almost impossible’ for the victim.” ,” said DOJ officials in a press release.

According to the agency, Zagala’s customers claimed they had used his alleged ransomware to infect a network of about 3,000 computers.

“Zagala has publicly discussed his knowledge that his clients used his software to commit ransomware attacks, including by linking to a news story about an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies,” said the press release.

If convicted of attempted computer intrusions and conspiracy to commit computer intrusions, Zagala faces five years’ imprisonment for each charge.


The federal government has beefed up its anti-ransomware enforcement muscle in recent months amidst repeated reports of cyber attacks.

In June 2021, the DOJ announced that it would elevate ransomware investigations to terrorism-level priority.

Later that year, it accused two people of using REvil ransomware to attack US businesses and government agencies.


“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for ransomware attacks, trained the attackers about how to extort victims, and then boasted.” about successful attacks, including by malicious actors associated with the government of Iran,” said United States Attorney for the Eastern District of New York Breon Peace in a statement.

“Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations,” he warned.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Leave a Comment