DOJ: Doctor is the Mastermind of Thanos Ransomware Design & Other Malicious Tools

The Department of Justice announced Monday that a French-Venezuelan doctor made the “Thanos” ransomware builder and other malicious tools that are used by cybercriminals.

Moises Luis Zagala Gonzalez, 55, was charged in an unsealed criminal complaint filed in Brooklyn federal court last month with designing several tools to make it easier to be creative.


Zargala’s software was rented or sold to hackers who exploited it by attacking several computer networks. Here below we have mentioned all the groups among whom the Gonzalez’s subscription-based ransomware builder was popular:-

  • Russian cybercriminals
  • Script kiddies
  • Iranian state-sponsored APT

By using the Thanos utility, a user can create his own, custom-made malware aimed at encrypting and locking up the files of a victim in an attempt to extort money.

Zagala shared extensive training guides on how individuals can launch a ransomware affiliate program and maximize the amount of money that victims are willing to pay.

Here’s what the U.S. Attorney Breon Peace stated:-

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran.”


A new product, ‘Thanos’ that Gonzalez has developed was introduced on cybercrime forums in late 2019 in a bid to gain traction. 

While Zagala not only created the ransomware products and sell them to hackers, but he also provided extensive training in how to use these products.

In terms of the attempted computer intrusion charges and the conspiracy to commit computer intrusion charges, Zagala could face up to ten years in prison.

Moreover, while providing support to the hackers and cybercriminals Zagala used several nicknames like:-

  • Nosophoros
  • Aesculapius
  • Nebuchadnezzar 

Thanos Ransomware

There were several features of Thanos and here they are mentioned below:-

  • A self-delete function.
  • A field for writing custom ransom messages.
  • An anti-virtual machine tool designed to outwit the testing environments.
  • Ability to evade detection.

The software is available for licenses for specific periods of time or as an affiliate program in which the users give Zagala a percentage of what they make.

Throughout darknet markets, Zagala marketed the program widely as a powerful tool that cybercriminals adopted for their nefarious use and efficiency of the program.

There were many positive reviews about Zagala’s products from his customers. Then on July 13, 2020, there was a post by an individual praising Thanos and writing:- 

“I bought the ransomware from nosophoros and it is very powerful. As I have infected a network of approximately 3000 computers.”

Furthermore, Zagala has been accused of developing Jigsaw v. 2, a ransomware tool in addition to Thanos. It offers users the possibility to keep track of how many times the victims have tried to remove the malware from their computers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.