Home Contact Me

Moises Luis Zagala Gonzalez

Zagala
Wanted Poster

Moises Luis Zagala Gonzalez is a Venezuelan cardiologist turned ransomware developer on the FBI Cyber Crime most wanted list. Moises Luis Zagala Gonzalez was born on February 7th of 1967 in Venezuela. Zagala would grow up to be a cardiologist in his home country but in 2019 he would become active as a ransomware developer.

He most likely decided to start development after the crash of the Venezuelan economy where the GDP dropped by over 50% from 2017 to 2020, and having grown up in times of instability wanted to have income not tied to his government.

His first effort was a program called "Jigsaw" named after the character from the Saw franchise which he posted on forums under the handles Aesculapius(the Greek God of medicine) and Nosophoros, which in Greek means “disease-bearing” not so subtle nods to his medical background. Jigsaw was quite sophisticated for his first attempt, it bypassed anti-viruses, could spread laterally through networks to other machines, could detect if the user was trying to eradicate it and punish the user accordingly, as well as drive the price up as time passed. Zagala would offer his ransomware on forums where he would get paid a monthly fee of $500 to use the program or $800 to get expanded options.

After Jigsaw started seeing use, malware analysts got their hands on it is when Zagala's first mistake was uncovered. Jigsaw’s source code used an absolute path of the Windows users directory

C:\Users\Moises\Desktop\jigsawransomware2019-master\JigsawRansomware\obj\Debug\JigsawRansomware.pdb

The FBI stated in their report that they assumed this was the author's first or last name.

After the success of Jigsaw, Zagala set to developing a new Ransomware called Thanos, which allowed users to create specialized ransomware packages easily. It’s here where he developed an affiliate program where he would gain some of the profit on successful ransomware attacks. He also pitched the idea of his affiliates creating their own affiliate programs as a sort of Ransomware pyramid scheme with Zagala at the top. It's also around this time that Zagala started using the handle “Nebuchadnezzar'' he told one member on the form that he had made the change to "preserve OPSEC” and that “malware analysts are all over me”

Unfortunately for Zagala, the individual who he was talking to was either already or would become a confidential informant for the FBI. It's unclear why he felt the need to switch names as he was still using the old names on other forms to advertise Thanos as all it served to do was connect his aliases to one person.

Despite his stated desire to "preserve OPSEC", Zagala was accepting payments on his PayPal account, including payments from one of the informants against him. PayPal is based and the US and has handed over information to the government an untold amount of times.The informant had sent money to a PayPal account for the Thanos ransomware, which the FBI immediately asked PayPal about and was told it belonged to Zagala as well as containing his address and phone number. This also happened with another payment method,an account on a cryptocurrency trading platform that gave the FBI his full name and email upon request. The FBI then seized the gmail account associated with the PayPal account and discovered it had sent emails to another address with zagalas name in the email address. One of the email's had two attachments, one having the filename
C:\\Users\\Moises\\AppData\\Local\\Temp\\0861013C\\Directory\\ Wallets\\Monero\\Nosophoros.
After the discovery and seizing of his Gmail account the mystery of Nebuchadnezzar was essentially over. More and more emails would be found linking him as the sole author of the Jigsaw and Thanos ransomware. In one case his own customer refers to him by name. It is still worth going over his other mistakes in order to understand that if he had not made these glaring ones how else he could have been caught.

Thanos ransomware also used a control server to manage the people who purchased licenses for his program, Zagala chose to have the server hosted in Charlotte, North Carolina, which when the malware was analyzed led to the FBI getting his personal information yet again as he had paid for the server under his name.

Zagala also had a relative of his in Florida receive some payments for his affiliate program on their own PayPal which led the FBI to conduct an interview with them where Zagala was once again confirmed to be the mastermind.

Puzzlingly despite knowing he was being at the very least sought after Zagala has entered the US multiple times in recent years although not since being publicly listed on the Most Wanted Cybercriminals list. Travel records maintained by United States Customs and Border Protection (“CBP”) indicate that Zagala has entered, and reserved flights to enter, the United States multiple times.

It's unclear how much Zagala cared about his OPSEC despite saying it and using aliases, he didn't seem to put much thought into hiding his identity despite clearly being an intelligent person. He resides in a country without extradition to the US so it's unlikely unless he travels that he will ever be captured by the US. Calling Zagala an OPSEC Failure is probably too harsh, he is smart enough to know better and I would be inclined to believe had no concern for it if he hadn't stated otherwise and done things that only someone trying to maintain anonymity would do. Even if he didn't fear the repercussions from the United States giving his living situation it would still stand to reason that he would like to remain anonymous from the hackers he was selling to(despite their rave reviews of his work and customer service.)

Zagala still lives as a free man and the Thanos ransomware is still seeing use, recently against the Chilean government in August of 2022

Zagala's Mistakes

Things he did right