Doctor Joseph Popp is known as the father of ransomware. By profession, an evolutionary biologist, primatologist and anthropologist from Harvard, he collaborated in the fight against AIDS and was a consultant to the WHO in Kenya. But his role in this story is that of having programmed and spread in 1989 a Trojan called PC Cyborg or AIDS, as AIDS is known in English. It came on a floppy disk, it activated after turning on the computer 90 times, it required a payment of 189 dollars at the time and it is the first ransomware in history.
It is among the five most important threats of cybersecurity. Ransomware has become an ally of those who want to get easy money on the internet illegally. In the first half of 2021 alone, there had been more than 1,000 successful attacks of this type, the same number as in all of 2020. Attacks involving all types of companies and organizations in more than 60 countries. In Spain, during 2021, well-known names such as the Public State Employment Service, Glovo, Phone House or MediaMarkt suffered from ransomware.
Between 1989 and today more than 30 years have passed. Joseph Popp laid the seed for one of the most widespread cybersecurity attacks today. The Internet, cryptocurrencies and organized crime have made it possible for anyone to enter a forum, buy ransomware and spread it by email or through fraudulent pages. The most propitious victims are companies of all kinds, public bodies such as town halls or libraries and public services such as hospitals or universities. The purpose is to obtain money through extortion. If you open the infected link or file, the ransomware gets installed and spreads throughout the internal network. The result, dozens of locked computers or millions of encrypted and inaccessible files unless you pay the extortion, usually in the form of Bitcoin.
The creation of the first ransomware
As we said, it all started in 1989. That year, Joseph Popp sends 20,000 diskettes to AIDS researchers and experts in more than 90 countries. All of them had gathered in Stockholm at an international conference on AIDS organized by the World Health Organization. Joseph Popp himself was doing research on AIDS. He was an evolutionary biologist and anthropologist from Harvard University, collaborated with the Flying Doctors association that worked in Africa and was even a consultant to the WHO in Kenya, one of the countries most affected by AIDS.
Precisely, the diskettes distributed by Dr. Joseph Popp were labeled “AIDS Information – Introductory Diskettes.” In theory, these diskettes contained a questionnaire that allowed to find out the level of a person's risk of contracting AIDS based on the answers they gave. But the reality was quite different. Those diskettes contained a Trojan known as PC Cyborg or AIDS, AIDS in English and which serves as an acronym for AIDS Info Disk. This Trojan affected computers with the DOS operating system. It replaced the AUTOEXEC.BAT file and counted how many times the computer was turned on again. After 90 starts, the Trojanhidden the folders and encrypted the files on the main drive. To regain access to the seized files and folders, the victim had to pay US$189 to a Panama postal code. The first ransomware was born.
As a curiosity, when the Trojan was activated, a message appeared on the screen. The message came to say that you had to pay for the software that you had installed, owned by PC Cyborg Corporation. Hence the name of this Trojan. The price to pay was 189 dollars plus an additional 378 dollars to regain access to your encrypted files. The payment method could be a check, a bank draft or a money order payable to the company mentioned above. To make matters worse, it asked to include name, company, address, city, country and/or postal code. Finally, as address indicated our equivalent to a post office box, a post office box, Post Office Box in English, located in Panama.
Author: Eddy Willems A Trojan that infects a computer and encrypts files. The demand for a payment in exchange for regaining access to your files. They are the ingredients that make ransomware possible. But at a time when the internet was in its infancy and the payment method was money order, this type of cybersecurity attack was not widespread. Curiously, it was not popularized either by the payment through Western Union, a method used by Russian and Ukrainian hackers during the 90s and 00s who extorted companies and individuals.
Further analysis of the AIDS or PC Cyborg Trojan indicated that it did not encrypt files. What it did was encrypt the extensions and names of the files so that they were not accessible. The first ransomware used symmetric cryptography. And as is the case today with every new type of ransomware, after a while remedies emerged that allowed the affected content to be decrypted. AIDSOUT was one of them. It removed the Trojan from the computer. CLEARAID, for its part, recovered encrypted plaintext. That is, it decrypted the affected content so as not to have to pay the ransom.
What happened to Joseph Popp?
Being the father of ransomware is a dubious honor. And there is no prize. His suspicious behavior weeks after spreading the Trojan led to the FBI investigating and eventually arresting him while he was at his parents' home in Ohio, USA. From there he was extradited to the UK, where charges had been filed against him. According to the press at the time, years of work on AIDS research were lost due to the Trojan . In any event, Popp was charged with eleven counts of racketeering and extortion. And in his defense, he argued that the money obtained was intended for the same research on AIDS.
We do not know the reasons why Joseph Popp created the first ransomware in history, PC Cyborg. Did he really want to get money to find a cure for AIDS? Was it an experiment for something bigger? Or a way to get revenge because he had been rejected for a job at the WHO? Before the judge, his strategy was to allege mental problems. And his behavior during the trial supported this argument. Finally, in November 1991, the judge ruled that he could not be tried.
Back in the United States, Dr. Joseph Popp continued his career as an evolutionary biologist and primatologist. He even wrote the odd self-published book on primates and humans. Popp passed away in 2007 at the age of 55. He left unfinished a memoir about his travels to Africa as a researcher. As a legacy, in Oneonta, New York, we can find The Joseph L. Popp, Jr. Butterfly Conservatory, a sanctuary for butterflies of 279 square meters.
Photo by FLY:D on Unsplash
The juicy business of ransomware
Just as it happened with the DDoS attacks, with a vindictive origin but which has become an online extortion tool, the ransomware suffered the same fate. If in 1989 the first attack of this type was born, the first ransomware, for profit or as a method of personal revenge, in 1996, cryptography experts Adam Young and Moti Yung analyzed the PC Trojan Cyborg and introduce concepts such as public key cryptography or asymmetric cryptography. As opposed to the symmetric cryptography of the Trojan created by Joseph Popp. They also theorize about cryptovirology, that is, the use of cryptography as a combined weapon of viruses and other malware.
But it wasn't until 2005 that variants of ransomware as we know them today began to emerge. And in 2010 the number of 10,000 copies of ransomware was reached. That same year Bitcoin emerged. The perfect tool to make ransomware extortion payments. In 2013 extortions arise demanding payments of up to 200 US dollars. There are already more than 100,000 ransomware copies on the online market. And what about 2014. That year CryptoLocker appears, one of the most profitable families of ransomware. In just 100 days, those who use it earn $30 million. Then other equally or more dangerous branches will come, such as WannaCry or NotPetya.
Today, ransomware is sold on internet forums as a service, customer support and all. You do not need computer skills. You buy the ransomware you want, you choose the victims and those responsible for it take care of everything, since they have their own infrastructure. Ransomware as a service the experts call it. Easy money that takes advantage of companies and public bodies with obsolete computers or without security policies. The good news is that there are ways to protect yourself against ransomware but they require acquiring certain habits.