Hacked - Dr. Ransomware
Episode Date: August 16, 2022The story of the case against Moises Luis Zagala Gonzalez — a cybercriminal polymath, or international fall guy. This is part one of a two episode investigation from The Ransomware Files miniseries.... Follow The Ransomware Files wherever you listen to podcasts. https://anchor.fm/ransomwarefiles + https://twitter.com/ransomwarefiles Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
How did you get on to this story?
Well, the Department of Justice released a press release announcing this criminal complaint.
It was interesting not only for the content, which is a cardiologist in Venezuela,
who's accused of coding ransomware, but also the length of the press release.
It was just really, really long.
And I was like, okay, well, I've got to go to this document, read this, and just started reading
this criminal complaint, which just read like something otherworldly, even in the ransomware world.
and I was just thinking like, I've got to find this guy.
The FBI's Cybermost Wanted list is longer than I was expecting.
Right now, there are 113 names on that list.
113 people who the FBI would most like to talk to.
And you start scrolling through this grid of faces and you're going to start to see some patterns.
A good chunk of the people on the FBI Cyber Most Wanted list are in,
military uniforms wanted for alleged involvement in state-sponsored hacks.
But out of those 113 faces, one of them sticks out, because only one person on the FBI's
Cybercrime Most Wanted list is wearing a crisp white doctor's coat. He is, from what I can tell,
the third oldest person on the list. He is 55 years old, the time of recording. His name is Dr. Moses
Louise Zagala Gonzalez, and he is either a cardiologist moonlighting as a cybercriminal
polymath or the fall guy for a decades-long cybercriminal operation.
If he is who they say he is, I don't think his family really has any idea.
They probably just thought Moses is in the backyard shed doing his computer stuff, right?
That's probably what they knew.
Jeremy Kirk, who makes the excellent podcast miniseries
The Ransomware Files, started pulling on this thread a few months ago,
trying to answer this question.
Who is this Venezuelan cardiologist,
who the American government alleges
is the architect of some of the world's most dangerous ransomware tools?
So rather than asking Jeremy to answer all of the questions he already answers on that show,
Ransomware Files, we are proud to bring you that episode.
The first part of his two-part piece on the story of Moses, Louise Zagalekinsalas.
The Ransomware Files, Episode 10, Dr. Ransomware.
Here on Hacked.
In the late 1990s, there was an elite crew of hackers who specialized in what's called
reverse engineering.
They called themselves High Cracking University.
They took pride in taking apart software binaries, which are
executable programs that you'd install on a computer.
They take the software apart or crack it, as they say.
They were amongst the best in the world at reverse engineering Windows applications.
And while you could crack software with the aim of just not having to pay for it,
they weren't into it for that.
They were in it for intellectual sport.
And one among their ranks was an expert reverse engineer who went by the name Isclepius.
He was smart and he was one of the highest ranking members of the group.
group. And while many hackers eventually move on to other things, get different jobs or their
skills fade, Isclepius stayed around. The nickname from the late 1990s popped up on malware
forums in the 2010s and beyond. And in May 2022, U.S. prosecutors accused Asclepius of creating
file encrypting ransomware. Ransomware is now a billion-dollar cybercriminal industry. Attackers
break into networks encrypt all of the files and demand a ransom to supply.
the decryption key. It's devastating high-tech crime. It's completely unpredictable in when it
strikes. It's debilitating. At best, it shuts down corporate operations for a period, but at
worst it can destroy an institution. Much, but of course not all, ransomware activity,
has a nexus to Eastern Europe and Russia, and it usually involves younger people in their 20s or 30s.
That general profile is in part what made the U.S. government's announcement so intriguing.
They allege that Iscalipius's in real life name is Moses Louise Zagala Gonzalez.
He's a 55-year-old cardiologist living in Ciudad Boulevard.
It's a city in southeastern Venezuela that struggles with constant power outages, water supply
issues, and often protests.
Prosecutors claim Moses is a multitasking doctor who designed two ransomware tools and
trained attackers on how to use them.
You could say they're essentially accusing him of being done.
doctor ransomware. The accusation is so far out of the normal bounds. Could someone be a cardiologist
and a ransomware developer? So some people replied to the message saying, oh my God, this makes
no sense because, you know, he was my teacher or, you know, he was my professor at college and
he was my, or he was my doctor. And one guy was like, absolutely, I'm sure he's not guilty. You know,
I'm sure he's not the guy you're looking for.
So, yeah, I mean, people are pretty shocked.
This incredible story will stretch across two episodes.
We're going to explore who is Moses Aguala
and why the U.S. authorities think he's a ransomware mastermind.
We'll also see what he and his family have to say about the allegations.
This is the ransomware files.
I'm Jeremy Kirk.
In this podcast miniseries, I'm exploring the impact of ransomware,
one of the greatest crime waves to ever hit the internet.
schools, hospitals, and companies have fallen victim to cybercriminals encrypting their data
in demanding payment.
But IT pros are fighting back and they have stories of resilience and fortitude.
Everyone knows the FBI's most wanted list, but there's also a most wanted list for people
accused of cybercrimes.
There's a new entry on that list, Moses Segalah.
His wanted poster has three photographs of him, and the one in the middle stands out.
He has a bald head, an earnest smile, and is wearing a doctor's white overcoat.
He's even got a stethoscope around his neck.
Why is this guy on this list?
Well, when someone is accused of a crime in the United States, the documents are published
for anyone to see.
Those include indictments, criminal complaints, transcripts, and more.
You can learn an incredible amount about an ongoing case.
In the case of Moses Luis de Gala Gonzalez, and I'm just going to call him Moses for short,
available is the 20-page affidavit written by an FBI special agent. The document details some of the
evidence that the U.S. government alleges against him. Now, I want to be clear here that the allegations
made by the U.S. government have not been tested in court. As they say on American TV, but it's true,
Moses is innocent until proven guilty. If he were to travel to the United States or was extradited
there, he would be entitled to respond to the accusations against him. That would occur in the
course of a trial, either by a jury or by a judge, no part of this podcast should be taken as
implicating his guilt. The FBI's affidavit is dense and intensely interesting. It's written by
Chris Clark, who identifies himself as a special agent focused on cybercrime, financial crime,
and money laundering. It's full of details about Moses' alleged to hacker passed, the long trail that
led to the current accusations, and startling errors in operational security.
Alexander Mindlin is the assistant U.S. attorney for the Eastern District of New York,
which is the federal court where Moses would face trial.
Alexander will prosecute the case.
Moses Sagala is a cardiologist in his mid-50s who lives in Ciudad Boliva in Venezuela.
In addition to being a cardiologist, he has charged in the government's complaint.
He also designs cells and rents and licenses out ransomware.
He's accused essentially of conspiring with users of his ransomware.
ransomware to carry out ransomware attacks on on victim networks.
So he's created, well, he created a series of malicious tools, but as relevant to us, the tools
mostly are a tool called Thanos and a tool called Jigsaw version 2.
And the conduct that he's charged with is knowingly arranging with cybercriminals to help
them use his tools in return either for a licensing fee or for a share of the profits.
And in fact, he's charged with being himself at the head of a group of ransomware attackers
who use his software as affiliates in return for a licensing fee.
To get to where this criminal case is today, we have to start in the past.
In fact, all the way back to the late 1990s in the early years of the commercial internet,
Who is or was Asclepius? Well, he's actually been around for a long time.
Everyone is familiar with his staff or rod. The staff has a serpent entwined around it,
and it's a symbol that's incorporated into that of many medical organizations around the world.
Isclepius was quite active in that high-cracking university group.
Surprisingly, there's quite a bit about the group still floating around on the internet even today.
They were master reverse engineers, solving big, tough problems. They were also big on sharing the
knowledge with others and pushing that knowledge forward. It was called a university after all.
And to them, it wasn't just dissecting software. It was an art.
Isclepius was one of the highest ranking members of the group. The person behind the nickname was
sharp, highly technical, and wrote in fluent beautiful English with only the occasional
grammatical error. His presence was so valued within the group that in 1998, he was trusted
with one of high-cracking university's annual challenges. It was called. It was called,
called the strainer. It was a series of four reverse engineering challenges. Those who
solved the challenges would be admitted to High Cracking University. And instead of say money
or a prize, those who solved the strainer in innovative ways were allowed to put a plus sign
in front of their nickname. That was the sign of honor that indicated to others they were now part
of this elite group. In late 1998, after that year's strainer had been completed and the
the winners selected, Asclepius congratulated those who solved the challenges.
Isclepius writes,
Welcome to the Plus HCU.
I know you're already elite crackers.
You've gained your admission to our university.
From this day, we will share cracking knowledge constituting the most valuable and unique feedback
between the best crackers in the scenario.
You can now proudly wear the plus sign before your names.
What's remarkable about Isclippius is his emphasis.
on education. He was meticulous, polite, and held very high standards when it came to judging
what participants submitted. He cared about the craft, and not just the endpoint of cracking software,
but how one got there. To be a reverse engineer capable of solving Asclepius' challenges,
you needed to know Windows and software engineering really well. That included analyzing assembly
language, system memory manipulation, anti-debugging techniques, entangling with encryption systems.
Those skills could certainly be ported to other types of software development, maybe even ransomware.
As Alexander said, the U.S. government claims Moses developed Jigsaw version 2, which was a standalone ransomware program.
They also claimed he developed Thanos, which is what's called a ransomware builder.
A ransomware builder is an application that actually creates new variants of ransomware that can be deployed on a victim's network.
Lindsay Kay is an expert malware analyst and senior director with the computer security firm recorded future.
She co-authored a report on Thanos that was released in June 2020.
I asked Lindsay what she thought about the code's quality.
I want to make a note here as well about Lindsay's response.
When chatting about Thanos, we often referred to its developer using the pronoun he inadvertently.
That's not intended to mean the developer is Moses.
Again, that is an accusation that is being made by the U.S.
government.
So after taking a look at this code, would the person who designed Thanos likely be able to
get a job as a software programmer?
Or I guess to put it another way, how good was this evil code?
This thing that he built, and if he built it on his own, there's at least some software
engineering skill set and principles there.
So at least kind of at a basic level, yeah, he could probably be a software.
engineer, it's really hard to kind of tell if just he wrote this or he didn't kind of start with
another skeleton of code or he didn't get a lot of examples off the internet. Because, you know,
right now we've access to so much available that it's like, could he have taken a bunch of
pieces and just knew enough to cobble them together versus did he write all of the code on his own?
So it's a little hard to say there, but clearly he is not incompetent in the ability to put
together code and make it work. There's yet another Greek mythology theme running here as
well. The name Thanos may be derived from a destructive marble comic character who originated from
a moon of Saturn. It also might be derived from Thanatos, a figure in Greek mythology associated with
death. Moses is accused of actually licensing the Thanos client itself to customers. They're called
affiliates in ransomware parlance, kind of similar to affiliate marketing. Lindsay explains that
isn't quite the usual way it works in the ransomware business. Generally how a ransomware is a service
program will work is once you gain access to the affiliate panel, the ones that you don't,
you don't kind of get the builder yourself, you would log on, access that, pick all the configuration
options. So for things like Black Matter and Alpha, kind of more recently, if you've heard of those,
that's an example there. You pick all your configuration options, you hit build, and then out comes the
build for you. So you don't have it on your own machine to build it, but you do obtain those builds,
which theoretically are unique and built to your kind of custom affiliate configurations.
To put it another way, you just order up your ransomware malware,
like the way, say, you would order a pair of sunglasses online.
Take the things you want in the checkboxes, polarized, gray tint, and away you go.
There were more than 40 configuration options in Thanos.
But what Moses is accused of selling is not only the sunglasses,
but also the machine that makes the sunglasses, which in this example is the ransomware builder.
Thanos was easy to use, which was appealing to those less technical cybercriminals,
since it didn't use the command line.
Command line applications don't have the graphical user interfaces or GUIs,
which is how most of us use software.
To make command line applications run,
you have to know the right commands and enter those into the command line.
There's no easy drop-down menus.
And of course, they're inherently more difficult to use if you don't know the commands.
Here's Lindsay again.
People aren't necessarily going to want to buy a builder that is all command line.
especially if they're getting into ransomware and they're not already super technically competent, right?
So if they're not able to kind of understand how to use those things, they want that nice GUI that's easy to use, easy to understand, pick which features you want, really configure it that way.
Thanos was brilliantly simple.
It had a text box in the GUI where you could write a customized ransom node.
You could also add your own creepy menacing graphic.
It had a bunch of features too that were designed to ensure its own success by thwarting security or analysis.
tools used by researchers. For example, it could kill processes affiliated with traffic
analysis tools such as Wireshark and Fire Sheep. It had capabilities to avoid running in virtual
machines. Virtual machines are often used by malware analysts to safely look at dangerous applications.
Malware creators know this happens, so they often code their malware to look for signs that this
may be happening and just stop running. Esclepius also put a unique feature into Thanos
that wasn't in a lot of other types of ransomware.
It was called RIP Lace or Replace.
So in November 2019, a security company called Nyatron
discovered a technique that could allow ransomware
to slide past security products.
Those products are designed to closely watch changes to files
and then stop any actions that appear to be malicious.
But the replace technique allowed for the modification and encryption
of the Windows file system in a way that,
endpoint protection products missed. Just two months after Nyotron released its findings, the feature
had been wrapped into Thanos. On one of the forums where Thanos was sold, a person going
by the nickname Nocephoros, which is one of the nicknames the U.S. government claims Moses used,
touted the technique as an advantage of using Thanos. It showed that whomever developed Thanos was
keeping up with new research to make more resilient ransomware. Recorded futures said Thanos was the first
ransomware family to advertise the use of the replaced technique.
So I think one of the most significant and interesting aspects of this is that we talk a lot
about kind of what threat actors have access to in the dark web, but this is something that,
you know, researchers are putting out. So it's very interesting to see somebody now taking
research that we as security researchers are putting out and then implementing it. I think this
is just a great example that really underscores that idea. So they have access to the same things
that we do. So how are we detecting them? Sort of
What are we looking for? What are the indicators that are interesting to us?
And here's just a really great example of that in practice.
Thanos spawned many ransomware variants.
Those variants, you can think of them as kind of like the children of Thanos.
Went by names like Prometheus, Heron, Spook, Hackbit, and Midas.
They ended up infecting businesses and organizations around the world in Peru, Mexico, Canada, Chile, Brazil, Italy, and France.
There was even a report that an Iranian state-sponsored hacking group that's nicknamed Muddywater had used Thanos.
The Justice Department complained even alleges that Moses boasted about that use of Thanos on one forum.
All of that activity raised alarms.
Many computer security companies, including Palo Alto networks, Z-Scaler, IBM Security X-Force,
all wrote analysis of Thanos since it appeared to have notable uptake by cybercriminals.
Isclepius was a quite active developer.
On one forum, the person wrote to customers, assuring them that, quote,
I have been developing malware for many years and update my products on a daily basis.
Isclepius regularly posted updates on improvements and changes to Thanos.
Software developers usually publish what's called a change log,
which is kind of like a running list of modifications and improvements of the software.
On the 1st of December 2019, Isclippius writes,
Code to cripple several antivirus products.
Code to erase shadow copies created by third-party products.
Shadow copies are a type of backups,
and ransomware actors will often try to erase those backups
to make it more likely that victims will have to pay them for a key.
On 14 December 2019, Isclippius noted some more improvements.
Encryption speed significantly improved.
Only a few minutes needed to encrypt a full hard drive.
These improvements to Thanos obviously took time.
Could a person conceivably balance a career in cardiology with malware development?
Thomas Holt is a professor in the School of Criminal Justice at Michigan State University.
He researches computer hacking and malware and the behavior of those who use the internet for crime.
I asked him about the seemingly contradictory premises that the U.S. Department of Justice has outlined.
The real trick in my mind is the fact that for a profession like cardiology,
where you would expect that that involves long hours, it's tremendous,
focus, to have the free time after that to be able to be a competent hacker who's developing
tools that people are using, that to me is the real odd standout in all of the events described.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late. An alert buried, a signal missed, an SOC that just
couldn't keep up. Arctic Wolf set out to
solve that problem by rebuilding security operations from the ground up for a world where
attackers are already using AI. They created the Aurora superintelligence platform, a fully
agentic system powered by the swarm of experts. Instead of single-purpose bots or lucky-guess
LLMs, this swarm is full of deterministic agents that handle whole entire workflows. Humans stay in
the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph, a constantly updating
intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade
of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI insecurity operations actually looks
like go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Software development isn't easy, however, and neither is cryptography.
Mistakes by ransomware developers have sometimes allowed security researchers to unlock the files of victims.
They're considered small wins in a fight where the ransomware actors usually have the upper hand.
And researchers found mistakes in Thanos.
The mistakes would probably irritate a meticulous, precise person like Isclapius.
As mentioned before, Thanos had a variety of selectable options.
One of those options was to use a static password to create an AES symmetric key that would be used to encrypt files on a victim's system.
That static password was used along with what's called a salt to generate the encryption key.
Salt in cryptography terms refers to a random value.
So the password and the salt were used together to create the AES encryption key.
But the problem is that the static password was actually,
actually left in the ransomware client itself, which meant it was recoverable.
Lindsay explains, if it's baked into the file and a reverse engineer looks at it,
now they just have to figure out what the salt is.
So if the defender gets the ransomware and they're able to figure out what that symmetric key is,
then they can decrypt the files.
IBM's X-Force team also spotted another error.
It was a weakness in the key generation algorithm.
They analyzed a variant called Prometheus that was generated by,
Pythanos. Prometheus' problem was that when it created an encryption key, it failed to use a truly
random value as the seed. So let's unpack what that means. In the process of creating an
encryption key, Prometheus used a value called a seed. It's supposed to be a random number,
and it may seem easy to pick a random number, but actually generating long random numbers is
actually quite hard, because creating those numbers often means starting with some
value or other formula.
To create a so-called random number, Prometheus used the number of milliseconds that had elapsed
since a particular computer had started.
That was the seed value.
That gave researchers a chance.
Calculate the right seed value and the correct key to decrypt the files could be revealed.
IBM was able to create a decryptor that ended up helping some victims.
It doesn't mean that whomever designed Thanos was a poor developer, Lindsay says that Crypto
is difficult to get right, but it meant a lucky break for some victims.
A lot of really kind of what makes crypto good is that key.
So if you're able to guess that key, then the crypto is not really going to protect what you think it is.
Other threat actors seem to make some mistakes there, so while that's good for defenders,
it's not something that I would necessarily bank on.
Since U.S. prosecutors announced their case against Moses, I've been trying various ways to get in touch with him.
That's involved contacting old jabber chat nicknames and email addresses linked with some of the nicknames and the criminal complaint.
I found a lot of material online.
In fact, reams of it.
And to be honest, I don't think I've uncovered everything affiliated with the nicknames, particularly Isclepius.
The nickname seems to pop up again and again on forums associated with phone hacking tools, software modification, and malware.
I needed to find Moses and see if he'd answer some questions.
What's his relationship with computers?
Why would the United States think he's a ransomware mastermind?
How did he end up becoming a cardiologist?
And of course, what's his response to the allegations?
None of the chat handles or email addresses in the forum posts I found got me closer to Moses.
But I had another idea.
The criminal complaint had a Gmail address associated with Moses's alleged PayPal account.
I remembered that on PayPal you could also send a note along with money.
So I sent $13.37 in U.S. dollars, plus a note that asked if whomever received it could get in touch.
Some of you listening are probably already smiling at the amount.
The number 1337 is numerical shorthand for L-E-E-T or LEIT.
Now, Leet is an abbreviation for the word elite.
In Hacker's speak, 1-337 became the numerical representation of that complement.
I hope somebody would recognize the amount and maybe have a chuckle and hopefully reach out.
But unfortunately, no one responded, probably because the FBI now controls the account.
I really just needed to find somebody on the ground in Venezuela.
When I read the criminal complaint, I was like, whoa, you know, like I was picturing this evil genius.
And it's actually just like a genius.
That's Anna Vanessa Herrero.
She's a top-notch journalist based in Caracas, who's reported for the New York Times
in the Washington Post.
She's been tracking down Moses, his family, his friends, and even his patients.
What I can see here is that people are like, whoa, what just happened?
He cannot be the guy.
So everyone has been reading that's been tweeting or tweeted about this.
They were all very surprised.
By all appearances, Moses is a respected person in the community.
He appears to be married to a kidney doctor named Rosani.
He's been working at a private clinic in Ciudad Boulevard.
We managed to find some of his brothers.
There's Guillermo, who's a dental specialist in Caracas,
Carlos, who appears to specialize in forensics with the National Police,
and Gustavo, who's a lawyer in Miami.
We started trying to contact them.
When you look at a photo of Guillermo Zagala, he and Moses resemble one of
another. Anna reached out to Guillermo and we chatted afterwards. So I need to tell you what happened
today. I contacted Guillermo on Facebook. Oh great. What did you have to say? Well, I said that you
and I were working on this and he immediately attacked me. Next time on the Ransomware files,
Dr. Ransomware, part two. You really must believe that we are stupid.
don't have enough to eat, do me the favor of bothering me more.
I'm going to file a complaint for harassment.
Wait, wait, wait, so say that again?
So she says that his email has been hacked and that somebody else is using his identity
for all this stuff?
One detail that I think is relevant is that as stated in the complaint, there are CBP
records, border protection records about Segalas entry into the U.S.
The literal guy is linked to the literal email address through his physical passage across U.S. borders.
This episode of the ransomware files was written, researched, edited, and produced by me, Jeremy Kirk.
It was also researched and reported by Anna Vanessa Herrero on the ground from Caracas.
The production coordinator for the ransomware files series is Rashi Ramesh.
The ransomware files theme song and other original music in this episode are by Chris Gilbert of Ordinary Weirdo's Records,
myself and India Kirk.
If you enjoyed this episode of the Ransomware Files, please share it and leave a review.
It will help keep this project going.
The series has its own Twitter handle at Ransomware Files, which tweets news and happenings
about ransomware.
I'm on Twitter at Jeremy underscore Kirk.
If you would like to participate in this project or have an idea for it, please get
in touch.
The project is looking for other people, organizations, and companies that can share their
unique experiences for the benefit of all until ransomware, hopefully, becomes a thing
of the past. Thanks for listening
everybody. Thank you to Jeremy
Kirk for sharing this episode with us.
If you want to hear the second part of this
series, and I highly recommend it. It gets very,
very interesting. We recommend you give
the ransomware files a subscription,
and you can find the second half of this story
right over there.
Big old shout out to our
new patrons on Patreon. That's
patreon.com slash hacked podcast.
A great way to support the show.
Martin, thank you.
Amina Kaplan.
Thank you.
Milo Shala, thank you very much.
Stephen Armstrong, sure do appreciate it.
Renfield, thank you.
Hope you enjoyed this episode we shared with you.
We'll back at you two weeks from now with a hacked original.
And with hopefully an interview I'm very, very excited about.
We'll catch you in the next one.
Thanks for listening.