Today, ransomware is a clear and present danger to the security of our data, applications and IT networks. Lisa Ventura, CEO of the UK Cyber Security Association stated that ransomware attacks grew exponentially by 150% in 2020 and show no sign of slowing down. She said:

“The volume of attacks makes ransomware the most impactful threat that we currently face.”

But when and how did ransomware first show its ugly face? Let’s find out.


Ransomware didn’t make its entry with sophisticated malware such as the seemingly uncrackable CryptoWall 2.0 where hackers can demand up to $500 in bitcoins or much more. Way back in 1989, before the days of email or the internet as we know it, the first ransomware was distributed in floppy disk via the post. Today’s ransomware is usually in the form of malicious email attachments coning the user into thinking they are legitimate. But what happened in 1989 was something even more insidious. 20,000 disks were dispatched to 90 countries in December of that year, masquerading as AIDS education software.


Recipients of the package marked ‘PC Cyborg Corporation’ found a disk containing a a program that measured a person’s risk of contracting AIDS based on their responses to an interactive survey. It also contained the so-called AIDS Trojan, that encrypted a victim’s files after they had rebooted their computer a fixed number of times. To enable decryption, victims were requested to pay a licensing fee of $189 to a P.O. Box in Panama.


In December 1989, the malware, labeled as ‘AIDS Information Introductory Diskette,’ was mailed to the 20,000 unsuspecting individuals using hijacked mail subscriber lists to the World Health Organization AIDS conference. PC Business World magazine also received a copy. The AIDS Trojan first surfaced in England where disks had been distributed to 100s of medical research institutes and prompted Scotland Yard’s Computer Unit to launch their largest and most expensive investigation. Some scientists pre-emptively deleted valuable data and, according to The Independent, an AIDS organization in Italy lost 10 years of work.


So who was the perpetrator of the AIDS Trojan ransomware?  None other than an evolutionary biologist with a PhD from Harvard: Dr. Joseph L. Popp. Two weeks after release of the ransomware, Popp was travelling back to the United States from a WHO seminar on AIDS in Nairobi, and he caught the attention of the airport authority at Schiphol in Amsterdam. A label branded ‘PC Cyborg Corporation’ was found in this luggage and Popp was later arrested in Willowick, Ohio and then extradited to Britain on ten counts of blackmail and criminal damage.


While awaiting trial, Popp exhibited increasingly bizarre behaviour, including wearing condoms on his nose, a cardboard box on his head, and putting curlers in his beard to ward off the threat of radiation. In November 1991 the court determined that Popp was unfit to stand trial.


A report published in the Virus Bulletin in 1992 shows that Popp had been planning his crime for almost 2 years. Besides detailing the massive logistical effort involved in copying, packaging and posting the 20,000 disks, it also revealed a plan to disseminate an additional 2 million disks. What was Popp’s motivation. His lawyers painted him as the Robin Hood of AIDS, claimed that he planned to donate his ransomware profits to alternative AIDS research and education programs. The Guardian was probably more on the mark – Popp had recently applied for a job with the WHO but was rejected.


Using AIDS as a metaphor for ransomware is right on target. Like the deadly virus, you can’t see malware, but infection is easy. All it takes is one erroneous click, failure to backup your data, for forget to stay up-to-date on those multitude of patches and security updates. Don’t endure the shame of being infected or having to cough up for the ransomware. Let me help you.

Leave a comment