Cybercrime , Fraud Management & Cybercrime , Ransomware

The Ransomware Files, Episode 9: Dr. Ransomware, Part 1

Why Does the US Allege a Cardiologist in Venezuela Created Ransomware?
The Ransomware Files, Episode 9: Dr. Ransomware, Part 1

The FBI’s most-wanted list for cybercrime has a recent entry: Moises Luis Zagala Gonzalez. He is a 55-year-old cardiologist living in Ciudad Bolivar, Venezuela.

He has a bald head and an earnest smile. In one photo, he wears a doctor's white overcoat and has a stethoscope around his neck.

But U.S. prosecutors allege Zagala led a double life. They claim he's also a cybercriminal (see: Feds Say 'Multi-Tasking Doctor' Built Thanos Ransomware).

Zagala has been charged in federal court in New York with developing ransomware applications called Jigsaw and Thanos. Both infected organizations and companies around the world.

After the charges were announced in May, people who know Zagala took to social media in disbelief, says Ana Vanessa Herrero, a freelance journalist based in Caracas.

“People are pretty shocked,” Herrero says. “Some people replied to that [social media] message saying, 'Oh, my God, this makes no sense because he was my teacher.' Or, you know, 'He was my professor at a college,' or 'He was my doctor.' One guy was, like, 'Absolutely, I'm sure he's not guilty. I'm sure he's not the guy they're looking for.'"

The U.S. government claims Zagala's hacking career started in the late 1990s when we was working under the nickname "Aesculapius," the Latin spelling for the Greek god of medicine. They claim he operated under that nickname while part of an expert reverse software engineering group called High Cracking University.

The nickname Aesculapius pops up again and again on malware and phone hacking forums in the 2010s and beyond. In recent years, the nickname appears on cybercriminal forums in connection with someone selling the Thanos and Jigsaw ransomware.

The accusation that a cardiologist could also be a malware developer is far out of the normal bounds. Could a person conceivably balance a career in cardiology with malware development?

Thomas Holt is a professor in the School of Criminal Justice at Michigan State University. He researches computer hacking and malware and the behavior of those who use the internet for crime.

"The real trick, in my mind, is the fact that for a profession like cardiology - which you would expect involves long hours, tremendous focus - to have the free time after that to be able to be a competent hacker who's developing tools that people are using," Holt says, "that, to me, is the real odd standout in all of the events described."

Who is Zagala, and why does the U.S. think he's a ransomware mastermind? This incredible story will stretch across two episodes. We’ll explore who Moises Zagala is and why the U.S. authorities allege he's a ransomware mastermind.

"The Ransomware Files" is a podcast miniseries available on Spotify, Apple Podcasts, Google, Audible, Stitcher and more. I’m exploring the impact of ransomware, one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victims to cybercriminals encrypting their data and demanding payment. But IT pros are fighting back, and they have stories of resilience and fortitude.

If you enjoyed this episode of "The Ransomware Files," please follow it on a podcast platform and leave a review. Also, the show has a Twitter handle, @ransomwarefiles, that tweets news and happenings about ransomware.

If you would like to participate in this project and tell the information security community about your organization's brush with ransomware, please get in touch with me at or direct message me here on Twitter. I'm looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, is no longer a threat.


Speakers: Alexander Mindlin, Assistant United States Attorney, Eastern District of New York; Lindsay Kaye, Senior Director, Operational Outcomes, Insikt Group, Recorded Future; Thomas Holt , Professor, School of Criminal Justice, Michigan State University; Ana Vanessa Herrero, Journalist; Jeremy Kirk, Executive Editor, Information Security Media Group.

Production Coordinator: Rashmi Ramesh.

Special thanks to Ana Vanessa Herrero in Caracas for reporting and research that contributed to this episode. Thanks to Tom Field and David Perera for production assistance.

The Ransomware Files theme song by Chris Gilbert/© Ordinary Weirdos Records. Other original music in this episode by Chris Gilbert, India Kirk and Jeremy Kirk. Additional music by


  • Cyrus Peikari, Anton Chuvakin, Security Warrior, January 2004;
  • Dark Ridge, A delayed strainer by Fravia+, July 26, 1999;
  • Davide Eynard, HcuStory, June 11, 2014;
  • Department of Justice, Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals, May 16, 2022;
  • Department of Justice, An amended affidavit and complaint in support of an application for an arrest warrant against Moises Luis Zagala Gonzalez, May 16, 2022;
  • Malpedia, Hakbit aka Thanos ransomware, November 1, 2021;
  • Nyotron, RIPlace Evasion Technique, Oct. 12, 2020;
  • Recorded Future, New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit’, June 10, 2020;
  • Security Intelligence, From Thanos to Prometheus: When Ransomware Encryption Goes Wrong, November 1, 2021;
  • Talon @ S2WLAB, Quick analysis of Haron Ransomware (feat. Avaddon and Thanos), July 22, 2021;
  • Unit 42, Palo Alto Networks, Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa, Sept. 4, 2020;
  • ZDNet, Iranian state hacker group linked to ransomware deployments, Oct. 15, 2020;

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.