The Strange History of Ransomware

Floppy disks, AIDS research, and a Panama P.O. Box.

When people first hear about ransomware, there is always this moment of stunned disbelief. It sounds like a plot line snatched straight from dystopian fiction: you flip open your laptop only to discover you have been locked out of all your files.

A ransom note hovers into view, written in bad English and a potpourri of fonts, explaining you have one week to pay $500 in bitcoins, otherwise you will lose access to your data forever. Really. No amount of genius bar-hopping will save you; neither the FBI nor top computer security experts have been able to crack extortionate viruses like CryptoWall 2.0, which is why two police departments in the US (one in Swansea, Massachusetts, the other in Dickson, Tennessee) have admitted to paying malware ransoms after having their databases locked.

But one of the weirdest things about ransomware
is that it’s not new at all.

The first ransomware virus predates e-mail, even the Internet as we know it, and was distributed on floppy disk by the postal service. It sounds quaint, but in some ways this horse-and-buggy version was even more insidious than its modern descendants. Contemporary ransomware tends to bait victims using legitimate-looking email attachments — a fake invoice from UPS, or a receipt from Delta airlines. But the 20,000 disks dispatched to 90 countries in December of 1989 were masquerading as something far more evil: AIDS education software.

The package that greeted victims abroad (the disks were never distributed within the U.S.) was stamped “PC Cyborg Corporation.” Although the company was fictitious, the disk inside really did include a program that measured a person’s risk of contracting AIDS based on their responses to an interactive survey. It also contained what came to be known as the “AIDS” Trojan, a virus that encrypted a victim’s files after they had rebooted their computer a fixed number of times.

In a camera-ready twist, the demand for ransom actually did come in the form of an analog note. Users were instructed to turn on their printers, which promptly spat out a demand for a “licensing fee” of $189 to be paid using the 20th century, black-box equivalent of bitcoin: by sending money to a Panamanian PO Box. Only then would the victim receive their decryption software.

Extortion may be an age-old crime, but its sudden appearance in digital form caught the public completely unprepared. In England, where the virus was first reported, there weren’t even laws on the books for dealing with this brand of cyber crime (prosecutors would have to rely on the 1968 Theft Act). Victims panicked. The disks had intentionally been distributed to hundreds of medical research institutions. Realizing their hard-drives had been compromised, some scientists pre-emptively deleted valuable data; according to The Independent, one AIDS organization in Italy lost 10 years of work.

Left: The harmless-seeming app install screen. / Right: The ransomware message that threatened users a few days later.

So who was the criminal mastermind that prompted Scotland Yard’s Computer Unit to launch their largest and most expensive investigation? In this case the perp wasn’t a thwarted computer programmer from some post-Communist backwater, but an evolutionary biologist with a PhD from Harvard: Dr. Joseph L. Popp.

And if that name sounds familiar, perhaps you’ve paid a visit to the eponymous butterfly conservatory he created with his daughter in upstate New York after he was let off scot-free.

No one knows exactly what provoked Popp to unleash his malevolent code.

Many of his victims were delegates who attended the World Health Organization’s (WHO) international AIDS conference in Stockholm the previous year. But Popp himself served as a part-time consultant for the WHO (in Kenya) and was actively engaged in AIDS research. These paradoxical facts, coupled with his lawyers’ later claims that Popp planned on donating his ransomware profits to alternative AIDS education programs, led some to conclude the doctor was actually some kind of crypto-anarchist Robin Hood trying to trigger reforms. The Guardian provided a much more straightforward motive; Popp had recently been rejected for a job at the WHO.

But the excuse that the Judge ultimately accepted, and which set Popp free, was simply that the doctor was insane.

For this hypothesis, there was ample evidence, starting with the clue that led to Popp’s apprehension. Less than two weeks after unleashing the virus, Popp became unnerved while traveling back to the U.S. from a WHO seminar on AIDS in Nairobi, where news of the AIDS Trojan had been a hot topic. He caught the attention of authorities at Amsterdam’s Schiphol airport after scribbling, “DR. POPP HAS BEEN POISONED” on the suitcase of a fellow passenger. A baggage search led to the discovery of a seal labeled “PC Cyborg Corp.” Soon afterward, Popp was arrested by the FBI at his parents’ home in Willowick, Ohio and then extradited to Britain on ten counts of blackmail and criminal damage.

After arriving in London, Dr. Popp continued exhibiting increasingly strange behavior while he awaited trial. According to numerous accounts in the British press, this included wearing condoms on his nose, a cardboard box on his head, and putting curlers in his beard to ward off the threat of radiation. In November of 1991, Judge Geoffrey Rivlin determined that Popp was unfit to stand trial.

Not everyone believed that Popp was as fragile as he appeared. Evidence from a digital diary obtained by the police revealed the doctor had been planning his crime for more than a year and a half, which cast doubt on lawyers’ claims that Popp had been in the grip of a manic episode when he created the virus. A lengthy report published by Virus Bulletin in 1992 further detailed the massive logistical effort involved in copying, packaging and posting the 20,000 disks.

That report also revealed evidence the doctor had been planning to disseminate an additional 2 million disks.

Whether Popp was Voldemort-made-flesh, or merely a guy who went off his meds, the frenzied response to the AIDS Trojan turned out to be unwarranted. Dr. Popp’s evil innovation, turning software into a vehicle for international blackmail, was largely conceptual. The form of cryptography he’d used to hijack victims’ hard drives, known as symmetric cryptography, was easily reversible. Once computer experts analyzed the code, decryption tools (in the form of an “AIDSOUT” disk) were made freely available.

Back in the United States, Dr. Popp resumed a varied career, which had begun in East Africa studying hamadryas baboons, and culminated in Oneonta, New York, with the opening of the Joseph L. Popp Jr. Butterfly Conservatory, “a fantastic family activity and learning experience for all ages.” His real legacy, however, is the ransomware blueprint he bequeathed to later generations of hackers. Six years after the AIDS Trojan was first unleashed, two pioneering cryptographers — Adam L. Young and Moti M. Yung — patched the holes in Popp’s leaky programming by developing a class of algorithms known as public-key cryptography.

This innovation basically did for ransomware what the Bessemer processdid for steel.

Recent iterations of extortion-based malware, such as CryptoLocker, have grown increasingly bulletproof. The latest such virus, VirRansom, emerged just a couple of months ago; computer security experts have already dubbed it the “AIDS of ransomware.”

A recent ransomware lock screen demands bitcoins.

It’s not the first time AIDS has been invoked as a metaphor to convey the destructive power of malware, but I’ve come to believe there is an intimate psychological link between ransomware in particular and the virus that first inspired its creation. Both carry with them the whiff of original sin — the errant click, the failure to adequately back up, or keep current on all those myriad patches and security updates. Let’s face it; we are laden with cyber-guilt. The ransom note arrives as a diagnosis, but we interpret it as an indictment of our messy, optimistic, impulsive, computer-using selves. And we are right.

Because our fear of ransomware isn’t about the shadowy hackers themselves, would-be peddlers of butterflies or JavaScript programmers gone bad; it’s about us.

Computers are no longer just machines to rely on. They are second brains, extensions of our innermost selves, clandestine caves in which to stash our memories, secrets, dreams, and hidden vices.

There are things our computers know about us that no human does.

And as that symbiotic relationship grows, so does the fear of “infection” — that someone else can actually see inside you. Aside from the shame of being infected, and the shame of paying the ransom when you realize there is no cure, the greatest shame is perhaps simply in knowing how much more you would pay for the assurance that you alone hold the keys to the sanctuary. We can never be safe enough.


This piece is published in Unhackable: an Intel Security publication on Medium. Don’t get PWND. Design the security of your online life with the 5 Habits of (Practically) Unhackable People.