Missing Link: 35 years of ransomware – It began with a simple floppy disk
35 years ago, a simple 5.25 inch floppy disk with the inscription "AIDS Information" marked the beginning of one of the greatest scourges of networked humanity
(Image: noppasit TH/Shutterstock.com)
Around the turn of the year 1989/90, the disaster that is now one of the biggest challenges in the world took its course. A simple floppy disk in the then common 5.25 inch format with the inscription "AIDS Information – Introductory Diskette 2.0" marked the beginning of a new business model 35 years ago that now generates billions in revenue for cyber criminals: ransomware.
This form of malware, which blocks access to files or systems and demands a ransom for their release, has turned out to be the scourge of networked humanity. The idea originated from the probably confused mind of an evolutionary biologist with a doctorate, who was no slouch when it came to psycho-tricks and already knew how to cleverly exploit the human weaknesses of his contemporaries.
At the center of this – criminal case, which has not yet been fully solved –, is Joseph L. Popp, an American born in Ohio in 1950. 35 years ago, the "father of ransomware" triggered the largest investigation to date in the still young field of computer crime prosecution, involving authorities from around 20 countries. The lead investigator was John Austen from the Computer Crime Unit (CCU) at New Scotland Yard in the UK. He was not the only one who thought Popp was the author of the AIDS disk, which, with the version designation 2.0, promised new insights into the often fatal immune disease.
Blackmail Trojans by post
It all began inconspicuously, as the specialist journal Virus Bulletin reported in 1990 and repeatedly in the following years. In December 1989, around 20,000 of the malicious disks were sent from London to a mailing list of subscribers to the magazine PC Business World, to other business mailing lists and to delegates at a World Health Organization (WHO) conference on AIDS. By post, mind you. Blackmailers did not use e-mail and other digital attack methods until years later. The recipients were mainly doctors, researchers and interested parties from the IT sector. Significantly, however, no one in the USA.
The disks contained an interactive questionnaire and a risk assessment of HIV infection, for which a "PC Cyborg Corporation" claimed the copyright. The creator or creators exploited the thirst for knowledge of the people who wrote to them and their fear of infection with the life-threatening virus, while computer viruses were still relatively unknown. Eddy Willems, security evangelist at IT security company G Data, remembers working for a Belgian insurance company at the time. "One Monday, I received a diskette that I was supposed to check whether the program it contained could be useful for the company." It contained a questionnaire to determine whether the user belonged to the HIV/AIDS risk group.
"The health information provided by this program could save your life," Willems shows a screenshot. You also get tips on how to reduce the risk of future infection. "So I put the disk on my work computer," writes the systems analyst. "After completing the questionnaire, the program displayed some interesting statistics about AIDS on the screen and I was even able to print them out on my matrix printer."
Panic after PC blockade
However, "strange things then happened after I booted up my computer twice," reports Willems. After another restart, the PC no longer worked. "Instead, a message appeared on my screen asking me to send money to a PO box in Panama." This message was also printed out automatically on the connected printer. The same message appeared again and again with every subsequent boot process.
The impact of the first publicly documented encryption Trojan was massive. "An AIDS organization in Italy lost ten years of irretrievable research work because it panicked after installing and running the program," wrote Virus Bulletin in 1992. "Numerous PC administrators were fired by European companies because the AIDS disk brought careless procedures to light." Even a year after the disk was first distributed, encrypted root directories were still being reported that appeared after the Trojan was triggered. Investigation chief Austen estimated that the diskette had been installed by around five percent of recipients. That would correspond to around 1000 infected computers.
Willems knows: "Several companies also lost a lot of money, as backups were more or less non-existent at the time." IT was still in its infancy at many companies. When he watched the TV news in the evening, he realized that he was not the only one affected. The disk changed his life – and he went straight into the IT security industry.
AIDS Trojan could be circumvented
The blackmail Trojan was not perfect. "While the concept is ingenious and extremely devious, the actual programming is quite messy," said security researcher Jim Bates in 1990. The application, written in Quickbasic 3.0, only "encrypted" file names, not the files themselves. The characters were replaced with others using a simple table. It was therefore a simple symmetric substitution cipher. The malware also hid directories on the hard disk. It also replaced the system configuration file Autoexec.bat, which is responsible for essential system startup processes.
Bates and his colleague John Sutcliffe succeeded in writing the AIDSOUT tool to remove the Trojan. They also created the AIDSCLEAR program, which enabled victims to locate hidden directories. Both tools were incorporated into the decryption solution CLEARAID. According to Willems, he also quickly found a way out of the dilemma due to the "pretty bad" encryption after booting from a system disk: he was able to restore the original files and directory structure of his PC.
The early ransomware did not install itself without warning. The diskette was accompanied by an information sheet stating that the included software was subject to a charge: PC Cyborg demanded 189 US dollars for an annual license. Alternatively, users could pay 378 US dollars for a permanent license linked to the lifetime of the hard disk. The small print on the package insert even stated, as part of a "limited warranty", that the computer could stop working properly if the customer did not pay. Willems also found an end user license agreement (EULA) on the disc, which demanded payment for "leasing" the software. But no one had read such legal clauses even then.
A confused scientist?
How did Popp come into the picture? According to the Virus Bulletin, the British prosecutors, in cooperation with the FBI and Bates in particular, gathered "a veritable flood of forensic evidence" within two years as part of the intensive investigation, which linked the biologist to the development and distribution of the AIDS Trojan. One excerpt: the key for encrypting the data was in the name of "Dr. Joseph Lewis Andrew Popp Jr.". The investigators also discovered notes in his diary from April 1988 that the disk plan had apparently been in development for twenty months.
The investigators hoped to put Popp behind bars. At first, everything seemed to be going well, even though the oddities quickly piled up. On Christmas Eve 1989, CCU member Austen received a call from a Dutch colleague that Popp had been arrested at Amsterdam's Schiphol Airport, visibly shaken up. The arrested man was on his way back from a WHO seminar in Nairobi after reading about the disturbances caused by the AIDS disks.
On his arrival at Schiphol, the HIV-fascinated researcher drew the attention of the authorities by scribbling "Dr. Popp was poisoned" on another passenger's luggage. The police found materials on him that were linked to PC Cyborg. Despite this, he was initially allowed to travel on to Ohio. However, in January 1990, the USA extradited him to Great Britain on a warrant from New Scotland Yard, where he was to be tried. But in 1992, the police and prosecution were bitterly disappointed when they charged him with eleven counts of extortion: Judge Geoffrey Rivlin QC of Southwark Crown Court dismissed the charges and let Popp go. A London psychiatrist had previously declared the 41-year-old mentally unfit to stand trial.
Curlers as radiation protection
In the months before the planned start of the trial, Popp was no longer on remand in prison, but in Maudsley Hospital, a psychiatric clinic in London. The Virus Bulletin reported: "His recent escapades included wearing a cardboard box, putting curlers in his beard to protect himself from 'radiation' and 'microorganisms' and wearing condoms on his nose."
The possible motive of the Harvard-educated scientist remains a mystery. He is said to have failed in an application for a job at the WHO shortly before the incidents, which could have been a motivation beyond business acumen. His lawyers conceded that Popp had admitted to sending the diskettes. At the same time, however, they insisted that he could not be charged due to diminished capacity. However, the story of his mental derangement is flawed. "If Popp was crazy and committed this crime, then there was method behind his madness," the Virus Bulletin states.
The circumstances of the crime suggested that calculation was at work. The cost of duplicating and shipping the disks alone exceeded 10,000 pounds. The logistical effort was huge – from renting accommodation in London to selecting addresses and registering PC Cyborg in Panama. Mathematically, the whole thing would have been worthwhile: if just one percent of the targeted victims had paid the minimum claim of 189 US dollars, the offshore company would have received almost 38,000 US dollars. That would have more than covered the costs. If all disk recipients had paid the full "license fee", around 7.5 million US dollars would have been collected. However, only investigators are said to have sent cash to follow the trail.
Style-defining mechanisms
Nevertheless, the "earning potential" was similar to the turnover of today's cyber extortionists. The campaign also set the style in other respects. The targeted selection of potential victims is now carried out using spear phishing. The insistence on means of payment whose use is difficult to trace is also significant. The introduction of cryptocurrencies such as Bitcoin around 2010 did the rest for the emerging ransomware scene. But Popp did not live to see any of this: He died in a car accident in 2006 at the age of 55, having last been concerned with the survival of butterflies, for example.
The further development is probably not only better known to IT aficionados. From the somewhat clueless beginnings of the encryption Trojan, a highly complex, globally active branch of the underground economy has developed, which represents one of the greatest operational security threats to companies, organizations and private individuals worldwide. Until the early 2000s, blackmail Trojans remained a marginal phenomenon. However, with increasing digitalization and more sophisticated, asymmetric encryption methods, which made it more difficult to recover files, the scene became more widespread.
In 2005, specific cases of ransomware were reported, particularly in Russia. These early variants often only blocked the screen and pretended to come from law enforcement agencies such as the FBI or the Federal Criminal Police Office (BKA). From 2011 onwards, ransomware gained momentum and the concept was developed further. Well-known names such as CryptoLocker, CryptoWall and TeslaCrypt emerged. They used strong encryption methods to render the victims' data unusable.
WannaCry, NotPetya, Anhalt-Bitterfeld
"Double extortion " is still a relatively new technique. This involves not only encrypting the data. The cybercriminals also copy it and threaten to publish it if the ransom is not paid. Another trend is ransomware-as-a-service (RaaS): criminals offer the relevant malware and the infrastructure required for processing as a complete service. This means that less technically skilled people can also carry out ransomware attacks. On the other hand, a professionalization can be observed: Trained attackers often penetrate deep into victims' networks before striking.
The most well-known examples lately are WannaCry and NotPetya, both of which have been making their presence felt since 2017. The WannaCry attack exploited a security vulnerability in Windows and infected hundreds of thousands of computers worldwide. Deutsche Bahn was one of those affected in Germany. The NotPetya attack started with blackmail, but is also considered an act of sabotage with far-reaching consequences. It hit German companies such as Beiersdorf and DHL hard.
The attack on the digital infrastructure of the municipality of Anhalt-Bitterfeld caused total costs of around 2.5 million euros. On July 6, 2021, the district's servers were infected with ransomware and data was encrypted. According to their own statements, the responsible politicians refused to pay the money demanded and declared a state of emergency – a novelty in the field of online crime. The authorities' IT came to a standstill for a long time.
Curiosity is being exploited
According to the latest federal cybercrime report presented by the BKA in 2024, ransomware attacks sometimes have a far-reaching impact on IT supply chains. The police authority listed LockBit, Phobos, BlackBasta, Akira and BlackCat as the top 5 ransomware. Artificial intelligence (AI) could act as a catalyst in the area of cybercrime and trigger an enormous increase, the BKA warned. However, the same capabilities are also capable of helping to strengthen IT security, for example by detecting phishing, malware and attempted attacks at an early stage.
According to the report, the perpetrators, who are often only loosely connected, are "frequently located in countries where they are tolerated or even protected". Police measures against the infrastructure used by the criminals and accessible to law enforcement authorities, alongside personnel investigations, are "an effective strategy to counter cybercrime more sustainably". BKA President Holger MĂĽnch referred in particular to the successful access to the server infrastructure of the Bitcoin mixer Chipmixer. In February 2024, the US Department of Justice, in cooperation with the British National Crime Agency (NCA), the FBI and other law enforcement agencies, struck a blow against the LockBit infrastructure. The USA is now putting the developers on trial.
As was the case 35 years ago, online crooks continue to rely on people's lack of restraint to penetrate IT networks: "If I come across something that arouses my interest and stimulates my curiosity, I am more willing to accept the seemingly tempting offer," explains Thorsten Rosendahl, Technical Director at IT security company Cisco Talos. The best example is the many false special offers that were sent out again in late fall as part of "Black Week": "Their aim is to get people to click on a link or disclose personal data." This opens the door for ransomware.
Videos by heise
Growth and countermeasures
The consequences are immense: in Germany alone, cyberattacks, theft of data and IT devices, digital and analog industrial espionage or sabotage caused damage amounting to almost 267 billion euros within 12 months in 2023 and 2024, according to a representative survey by the IT association Bitkom. According to the survey, companies most frequently reported damage caused by ransomware (31%, up 8 percentage points).
The majority of successful cyberattacks – 66% – were based on stolen access data –, mostly due to weak passwords or a lack of multi-factor authentication, Rosendahl explains. A further 20 percent of attackers exploit known vulnerabilities in software, some of which have existed for years and could have been fixed long ago. This works regardless of the industry. BlackByte, for example, exploited the vulnerability CVE-2024-37085, a vulnerability in a VMware ESXi hypervisor. ESXi was initially considered quite secure. But appearances were deceptive. An analysis of the BlackByte code in 2021 also showed that ransomware is not just the work of professionals: Empty threats and a free recovery tool allowed victims to breathe a sigh of relief at the time.
"Ransomware will continue to grow in 2025," Rosendahl is certain. AI will make its use accessible to an even broader group without reinventing the phenomenon itself. According to the IT security expert, it will be "more exciting" to embed AI in targeted attacks via email and thus impersonate a specific person such as the company boss. Caution, the rapid installation of security updates, authentication, backups and prevention remain important countermeasures.
(nen)
