The first thing worth knowing about the first ever ransomware locker is that its use was apparently motivated by revenge rather than outright criminality. The second thing worth knowing is that there was not a Russian speaker in sight.
In fact, its author, Joseph Popp, grew up in Ohio and was educated at Harvard University. He was an anthropologist and biologist and an expert on HIV/AIDS, who worked closely with the World Health Organisation (WHO) in Africa – and was passed over for a job there, something that may have led to the apparent mental breakdown that resulted in the creation of the concept of ransomware.
The AIDS Trojan that Popp “unleashed” on the world in December 1989 was a simple piece of software by any standard. Technically, it was really a denial of service (DOS) scrambler, which replaced the AUTOEXEC.bat file used to execute commands when the computer system started up.
It then counted the number of boot cycles the system went through until it hit 90, at which point it hid directories and encrypted the names of the C drive files on the system. Victims, or targets, then saw a message informing them that their systems were infected by a virus.
“Remember, there is NO cure for AIDS,” the message chillingly read.
How were they infected? Popp posted 20,000 floppy disks to fellow attendees of a WHO AIDS conference, and created what we would now know as a phishing lure by labelling them “AIDS Information – Introductory Diskettes”.
Victims were told to send $189 (about $480, or £378 adjusted to 2024) to a PO Box number belonging to the PC Cyborg Corporation in Panama. The software also included an end user licence agreement (EULA) informing “users” that they would be liable for the cost of “leasing” it.
Popp, who was arrested in the US and extradited to the UK, never stood trial after a British judge ruled him mentally unfit to do so – he had developed a habit of wearing condoms on his nose, hair curlers in his beard, and cardboard boxes on his head, according to media reports at the time. Whether or not this was a deliberate ploy rather than an expression of insanity remains unclear. Back in the States, Popp went on to open an eponymously named butterfly sanctuary and tropical garden in upstate New York, and died in 2007.
Reflecting on the weird story behind the AIDS Trojan, Martin Lee, technical lead for security research at Cisco’s Talos intelligence and research unit, describes the malware as the creation of “an insane criminal genius”.
“It really was something completely new, a new dimension that hadn’t been mentioned before,” Lee tells Computer Weekly. “If we think back to the year 1989, the internet was still basically a dozen computers in universities and the military. The internet, as we know it, had not taken off, the World Wide Web had not taken off. Most computers were not networked at all, even hard disk drives were very much a luxury optional extra.
“All of these things that we now take for granted – distribution over a network, payment by cryptocurrency – none of this existed. It was a fairly limited attack…It is not known, but it is not believed, that anybody paid the ransom.”
Moreover, the cyber security profession simply did not exist in its current form in 1989. “It was nowhere near what it is today. It was a different world,” says Lee, who characterises the IT of the day as “prehistoric”.
“The term cyber security didn’t exist and the industry didn’t exist. There were individuals we would recognise as practicing information security, but they tended to be in the types of environments that required security clearance, like the military or governments. It would have been a tight community where everyone knew each other.
“Certainly at the time, the first ransomware did not make a big splash in the news,” he adds.
Ahead of his time
That Popp was somewhat ahead of his time is clear in that the idea of ransomware didn’t really rear its head again until the mid-90s, when academics and computer scientists first starting playing around with the idea of combining computer virus – or malware – functionality with cryptography.
But even then, the world spent another decade in blissful ignorance before the first attempt was made at a criminal ransomware attack of the type we would recognise in the 2020s.
Gpcode, as it was termed, first popped up in Russia in December 2004, 20 years ago, when reports started to emerge that individual people’s files were being encrypted by some strange new form of cyber attack.
“Ultimately, it turned out that an individual was, if I remember correctly, harvesting information from Russian job sites and emailing jobseekers saying, ‘Hey, we would like you to apply for this job’,” says Lee.
“The lure document purported to be a job application form, but in fact it was ransomware which encrypted the files, and the ransom was to be paid by money transfer. This is really the first modern criminal ransomware where the objective – to make money – is clear.”
Gpcode was “incredibly rudimentary” as ransomware goes – it used a 600-Bit RSA public key to encrypt its victim’s files, and Lee says that demanding the ransom be paid by money transfer (Bitcoin was still a few years off) was a dangerous gamble for the cyber criminals behind Gpcode, because it left them open to being tracked by law enforcement.
Gpcode was not a runaway success – in that it did not net millions for its creators as ransomwares do today – but it was notable in that it meant ransomware was starting to cut through, both in the still-emerging cyber security community and among laypeople.
Gpcode also helped to establish some of the popular tropes around ransomware phishing lures – today, phantom job offers are frequently used against victim organisations, particularly when executed as part of a targeted attack via a highly placed executive, for example.
Continuous innovation
Over the decade that followed, the story of ransomware became one of almost continuous innovation, as cyber criminals became more motivated to extort money and to avoid capture and prosecution.
Anonymity during the payment process was a particularly thorny problem that the criminal underground needed to overcome, says Lee.
“In 2004, Gpcode had a single software engineer slash operator conducting the attacks, and they had this problem of how are they going to get the ransom paid to them in a way that’s easy for the victim, but provides anonymity for the criminal,” he says.
“Initially, we have the rise of digital currencies, E-Gold and Liberty [Reserve] to name but two, which were mechanisms outside of the traditionally regulated banking industry for transferring value between individuals,” says Lee. “They were – how should we put this – abused.”
The big disadvantage of these digital currencies is that they both had a single point of failure from the cyber criminals’ perspective, in that law enforcement agencies and regulators could act to disrupt the flow of illicit payments traversing them, which of course is exactly what happened.
“This then coincides with the rise of cryptocurrencies, giving an alternative way for criminals to collect their ransom through crypto,” says Lee.
“The other big innovation addressed the weak point of early ransomware – is it was one developer and operator – so we did see in the mid-2000s the development of the first ransomware as a service.
“Malicious software engineers who were very good at writing code but maybe not so good at distributing ransomware or coming up with social engineering lures could focus on the code and then develop a partner portal so that less technically sophisticated cyber criminals could participate in attacks – they could be hired, or enter into a partnership,” says Lee. “If they divide up the tasks, it makes it more efficient.”
Though it may surprise some to learn that the concept of ransomware as a service, or RaaS, is well over 10 years old, it emerged at a very different time, and the ransomware ecosystem had to go through a few more evolutions to reach its present, devastating form.
Up to date
Lee explains: “The next big change comes in 2016 with the gang using SamSam. Prior to that, ransomware was a mass-market attack, distributing as much ransomware as possible to as many end-users as possible, getting it onto PCs, and demanding a few hundred dollars for the victim to get what’s on their endpoints back.
“The big innovation was the gang distributing SamSam chose their victims in a different way. Instead of going for sheer numbers, they would identify businesses, get inside their networks, and combine traditional hacking techniques – infiltrating the network, finding key servers that businesses relied on, and getting the ransomware on those key servers.
“In encrypting the files and stopping the functionality of those key servers,” says Lee, “SamSam brought the entire business to a half, and at that point the gang could ask for a much, much larger ransom.”
This is not to say that mass-market, end-user focused ransomware has gone away, it is very much still a threat, and in many ways, it is more devastating for the average person to be hit with ransomware than it is for a well-insured, regulated corporation.
“I’ve had people reach out to me with an elderly parent whose laptop has been hit with ransomware and it had the last photos of their deceased spouse on it, is there a way of getting it back?” says Lee.
“It’s heartbreaking, and nine times out of 10 the answer is no. So, this has not gone away and it’s not going to. Businesses may have more to lose than an end-user, but that’s not to say that end-users can’t suffer significant pain.
“But the big money for the bad guys is in businesses, getting inside businesses, causing high-value disruption and destroying large amounts of value, because the profits are so much higher.”
This brings us neatly to the developments we have seen since 2020, when the scourge of ransomware really took off, and cyber security broke out of its niche and started to make national headlines. These have all been well-documented, including the rise of double extortion attacks and the emergence of an extensive underground economy of affiliates and brokers. We are even seeing what looks like collaboration between financially motivated cyber criminal gangs and politically motivated cyber espionage operators.
This year, we have seen the beginnings of a new trend in which ransomware gangs actually forego the ransomware locker entirely. Just last month, the Australian and American authorities released new intelligence on the work of the BianLian ransomware gang, which has shifted solely to extortion without encryption.
Could it be that ransomware, in its traditional form, is starting to reach the end of the line?
Looking ahead
Probably not, says Lee, looking ahead, although it will look different: “You know IT brings enormous positives to our lives and enables so much – but anywhere where IT is creating value, criminals are looking for ways to piggyback and steal that value. Ransomware has proved to be a very profitable way for them do it.
“I think that for any new ways in which we use IT in the near- and medium-term future, we can expect there will be criminals looking to make money off that, and one of the ways that they’re going to do it, for certain, is going to be through ransomware.”
From ransomware’s birth pangs as the howl of the frustrated and aggrieved Joseph Popp, we can chart a clear line to the big bucks ransomware hits of the 2020s, and this continuity of criminality and innovation leads Lee to a simple conclusion.
“We need to be much more aware that for anything IT touches, we need to think about cyber security, we need to think about how the bad guys might disrupt it, because for certain, they’re going to be thinking too and someone’s going to try it.
“The history of ransomware has been one of constant innovation, and we can expect that to continue into the future,” he says.