The-Origin-of-Ransomware-header

IT Tips & Tricks

Malice, Money, Monkeys and a Madman: The Origin of Ransomware

Published 19 February 2024

In the murky pre-internet days of 1989, amidst growing anxieties about the AIDS epidemic, the world witnessed a pioneering act of digital villainy. It wasn’t the latest Hollywood bioweapon, but something far more insidious — the first documented ransomware attack. In hindsight, it is, perhaps, one of the oddest tales of the digital era, but sometimes truth is stranger than fiction.

Belgium in December is cold and dark, engulfed in the kind of weather that makes you want to sleep in, snuggled deep beneath a fluffy feather comforter, or sip steaming hot chocolate in front of a crackling fire. But in December 1989, Eddy Willems did neither. Despite the weather, he got up, got dressed, and showed up at the insurance company where he worked as a systems analyst.

The world’s first ransomware

Image courtesy Eddy Willems

The world’s first ransomware, known as the AIDS Trojan, was distributed on floppy disks.

Eddy’s boss had received a floppy disk in the mail, labeled “AIDS Information,” and he asked Eddy to check what was on it, which Eddy dutifully did. Instead of a presentation of medical research — which was what had been anticipated — a weird message appeared on his screen, seemingly the product of a teenage prankster. Eddy put it out of his mind and went about his day.

A few days later, Eddy’s computer locked and displayed a message demanding that he mail money to a PO box in Panama.

The message stated, “Dear Customer: It is time to pay for your software lease from PC Cyborg Corporation. Complete the INVOICE and attach payment for the lease option of your choice. If you don’t use the printed INVOICE, then be sure to refer to the important reference numbers below in all correspondence. In return you will receive: a renewal software package with easy-to-follow, complete instructions; an automatic, self-installing diskette that anyone can apply in minutes.”

This was followed by the “important reference numbers” and two pricing options: the one-year option at $189, or the lifetime lease for $379. A banker’s draft, cashier’s check or international money order were all considered acceptable.

With the speed of his compatriot, Lucky Luke, the comic cowboy known to “draw faster than his own shadow,” Eddy Willems quickly figured out how to outsmart the ransomware, without losing any data or ponying up the money. But Eddy was one of the
clever ones.

But what’s the connection between AIDS and the ransomware Eddy dealt with? Well, stick with us, because it’s kind of a
crazy story.

What had triggered this very first ransomware attack? And did it have anything to do with AIDS?

Popps message

Popp’s message was something one might expect of a teen prankster, not an evolutionary biologist with a Ph.D. from Harvard.

From a Droplet to a Deluge

In the summer of 1981, five cases of a mysterious new illness were reported in Los Angeles. By August 1982, the CDC had given the disease a name: Acquired Immune Deficiency Syndrome, or AIDS. But what’s the connection between AIDS and the ransomware Eddy dealt with? Well, stick with us, because it’s kind of a crazy story.

Fast forward to the summer of 1988, when the fourth International AIDS Conference took place in Stockholm. Summers are relatively cool in Sweden, averaging around 60°F (or 15°C). Temperatures notwithstanding, the brain of one dissenting scientist
apparently overheated.

Two issues may have infuriated him to the point of mental instability. First, he’d recently been rejected for a job at the World Health Organization. Second, his strident public criticism of their AIDS education policies continued to fall on frustratingly deaf ears.

Eddy Willems with his original copy

Eddy Willems with his original copy of Popp’s ransomware floppy disk
and instructions.

Fully triggered and in meltdown mode, he began planning a ransomware attack as revenge against the industry he felt had betrayed him — any medical or scientific research professional working in the AIDS arena. Like a toddler throwing a tantrum, he executed his attack the following year: 1989.

The ransomware — which came to be known as the AIDS Trojan — was created by Dr. Joseph L. Popp, a Harvard-educated, PhD-carrying evolutionary biologist who was conducting AIDS research at the time. Nobody knows exactly what triggered Popp, although several theories would later emerge.

That first attack in 1989 started a trickle that by 2023 had turned into a deluge, with the cybersecurity market currently valued at $179,826.05 million.

Any guesses what the encryption key for Popp’s AIDS Trojan was? You’ll laugh at the sheer, idiotic ego of it.

Popp’s Poppycock Plan

Whether Popp was attempting to boost funding for AIDS research, raise awareness, or simply fund his retirement, nobody knows. It’s just another mystery in an odd tale orbiting an even odder man.

The Trojan’s delivery method was as retro as its era: floppy disks. Twenty thousand of them, labeled “AIDS Information — Introductory Diskettes,” were mailed to attendees of the World Health Organization’s international AIDS conference. After 90 reboots of the recipient’s computer, these seemingly innocuous disks caused the user’s directories to be hidden and their filenames to be encrypted, rendering data inaccessible. At this point, the ransom note materialized and demanded that the ransom of $189 be mailed to “PC Cyborg Corporation” at the Panamanian post office box address kindly supplied.

Obviously, this was not the first case of extortion in history. There are documented cases of man’s trickery dating back to the year 4 BC, and, given the toughness of conditions for homo habilis about 2.4 million years ago, we’d put money on the likelihood of the occasional shakedown, no doubt communicated in grunts and hand gestures worthy of a high-spirited game of Charades. But this was the first digital case. Conceptually, it was so new, that there weren’t even any laws to deal with it.

Widespread panic ensued and, fearing their hard drives had been compromised, scientists elected to delete valuable data, many losing their life’s work.

Word spread that Eddy Willems in Belgium had figured out a workaround for the ransomware. “I started to get calls from medical institutions and organizations asking how I got around it,”
said Willems.

Recalling 1989, Eddy says, “The incident created a lot of damage back in those days. People lost a lot of work. It was not a marginal thing — it was a big thing, even then.”

That first attack in 1989 started a trickle that by 2023 had turned into a deluge.

While ransomware was new, viruses weren’t. In January 1990, Virus Bulletin, a security magazine for professionals, published an article about the AIDS Trojan, stating: “While the conception is ingenious and extremely devious, the actual programming is quite untidy.”

The fear caused by this first ransomware attack was worse than the actual virus contained on the disks. Popp’s coding skills proved less than stellar. The encryption was easily bypassed, rendering the ransom demand moot. A simple reboot or disk utility could restore access to the files. News of the Trojan’s vulnerability spread quickly, turning Popp from a cybercriminal into a laughingstock. It turned out that the Trojan could be easily dealt with because it relied on simple symmetric cryptography. For victims lacking the required technical know-how to fix it themselves, a decryption tool was soon made available in the form of an “AIDSOUT” disk.

Although it was a pretty basic malware, it was the first time many people had ever heard of the concept and it’s unclear whether any individuals or organizations ever mailed off the ransom payment to Popp’s Panamanian PO box.

“Even to this day, no one really knows why he did this,” says Eddy Willems, noting how costly and time-intensive it would have been to mail 20,000 floppy disks to so many people. “He was very influenced by something. Perhaps someone else was involved — as a biologist, how did he have money to pay for all of those disks? Was he angry about the research? Nobody knows.”

Eddy went from working as a systems analyst at the insurance company to being a security evangelist with stints at Kaspersky, the European Institute for Computer Anti-Virus Research (of which he was the founding father), the Anti-Malware Testing Standards Organization, and the Belgian government e-security team among others. Eddy is now a cybersecurity expert at G Data (which developed the world’s first commercial antivirus solution in 1987) and is active on the speaker’s circuit.

But what happened to Joe Popp?

Dr. Popps ransom demand message

Dr. Popp’s ransom demand message.

Too Crazy To Be Tried?

While his ransomware was causing ripples around the world, Popp was named as a person of interest by the British anti-virus industry. New Scotland Yard issued an arrest warrant and, after the FBI arrested him at his parent’s home in Ohio, Popp was shipped to Britain and incarcerated in Brixton Prison.

Popp was charged with eleven counts of blackmail and defended himself by saying that the money sent to Panama would go to
AIDS research.

Strangely enough, Popp was a collaborator of the Flying Doctors, a branch of the African Medical Research Foundation, and a consultant for the WHO in Kenya. In fact, he had organized a conference in the new Global AIDS program that very year.

However, in the days leading up to his arrest, Popp had been acting increasingly strangely. The crazy behavior only escalated as he awaited trial. He took to wearing condoms on his nose and curlers in his beard to allegedly ward off the threat of radiation. (Just so you know, we checked, and neither practice is considered effective protection against radiation.)

By the time of his trial in November 1991, Popp had taken to wearing a cardboard box on his head to protect his brain from said radiation. The judge declared him mentally unfit to stand trial and sent him home.

Any guesses what the encryption key for Popp’s AIDS Trojan was? You’ll laugh at the sheer, idiotic ego of it. The key was “Dr. Joseph Lewis Andrew Popp. Jr.”

By the time of his trial, Popp had taken to wearing a cardboard box on his head to protect his brain from radiation. The judge declared him mentally unfit to stand trial.

“More than an actual criminal mastermind, he was what you would classify as a ‘lone actor’ as opposed to an organized crime syndicate or state-sponsored actor,” said Michela Menting, a research director at market research firm ABI Research. “His motivations appeared to be quite personal. He obviously had strong feelings about AIDS and
AIDS research.”

Either Joseph L. Popp was genuinely as nutty as a fruitcake or he deserved an Academy Award for his portrayal of the demented doc.

Later, evidence unearthed from a digital diary revealed he had been planning the Trojan attack for more than a year and a half. Although Popp’s lawyer had successfully blamed the good doctor’s wacky behavior on a “manic episode,” 18 months of careful planning seems to constitute more than a mere “episode.”

There was also a massive logistical effort in copying, packaging, and posting 20,000 disks. Popp’s diary additionally detailed a plan to disseminate a further two million disks. Financially, would it have been worth it? At, forgive us, $189 a pop, what did the good doctor stand to gain?

If all 20,000 initial victims had fallen for the scam, he would have bagged $3,780,000 in 1989, minus the cost of the disks and their distribution which was estimated at roughly $13,000, netting the good doctor around $3,767,000. That converts to about $8,840,950 in today’s market. A comfortable retirement, indeed.

However, the investigating officer, Detective Inspector John Austen, who oversaw the police investigation in the UK, calculated that only about 5% of people who received the disk installed it, so out of 20,000 potentially impacted computers, approximately only 1,000 computers were affected. Law enforcement agencies in the UK were curious as to why no disks had been mailed to the US, a fact that seems to suggest that Popp was familiar with US law from the outset — which calls into question just how unfit he was to stand trial.

A Kenyan businessman by the name of E Ketema and countrymen Kitain Mekonen, Asrat Wakjira, and Fantu Mekesse, were named as “directors” of PC Cyborg, the company registered in Panama on 12 April 1989. None of these men have ever been located, which leaves one wondering whether they ever truly existed or were mere
figments of Popp’s obviously fertile imagination.

No End to the Weirdness

After being declared unfit to stand trial, Dr. Popp returned to the US and continued his career in evolutionary science. Before his Trojan escapade, he had spent 15 years studying hamadryas baboons in East Africa, which had perhaps given him the confidence to monkey around with technology he failed to master.

However, Popp clearly had an ingrained propensity for nuttiness. As if his shenanigans up to this point weren’t weird enough, he self-published a book, Popular Evolution, described as a “new model of self-help.”

A-young-Dr-Joseph-L-Popp

A young Dr. Joseph L. Popp

In his book, Popp argued that humanity’s only purpose is “maximizing reproductive success.” He was in favor of fewer working women, less income, less education, rural living, lowering the legal age of marriage and eliminating sex ed — in the hopes of raising the teenage birth rate. Honestly, if we didn’t have to finish this article, we’d be speechless. Seriously.

This, ladies and gentlemen, is the mind responsible for the first ransomware incident.

In a final attempt to leave a lasting legacy before passing away in 2006, Joseph L. Popp created a butterfly sanctuary in upstate New York. Perhaps his theories on reproductive success were music to the ears of butterfly conservationists who wanted nothing more than to hear the flitter-flutter of increasing numbers of little wings.

In October 2023, a GoFundMe page was started to raise funds to save the ailing butterfly sanctuary. To date, less than $3,000 of the required $15,000 has been raised and the sanctuary is currently closed. Even if you collected $189 for every one of the 56 years that Dr. Popp lived, there’s still a shortfall.

It’s kind of sad, really, but perhaps it simply proves yet again that crime doesn’t pay. We’ve included a rare picture of Dr. Popp, so that if you ever fall prey to ransomware, at least you can put a face to the man who started it all.

The floppy disk that landed on Eddy Willems’ desk is now a piece of security history and, more than likely, one of very few left in the world. It hangs, more than a quarter of a century later, on Eddy’s living room wall.

“A museum offered me $1,000 for it, but I’ve decided to keep it,” he said. Turns out Eddy could possibly profit more from the AIDS Trojan fiasco than Doctor Popp probably ever did.