Ransomware – we are hearing this word a bit too often these days. But did you ever think when and how the very first ransomware attack happened?

Stick with me to learn about the first ransomware attack.

The definition of ransomware.

Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever.

How it all started

The very first ransomware attack targeted the healthcare industry in 1989. An AIDS researcher gave out 20,000 infected floppy disks to those who attended the World Health Organization’s AIDS conference. The attack, named after the PC Cyborg Corporation was known as the AIDS Trojan or the PC Cyborg virus that was demanding payment.

The distributed disks contained a questionnaire about the AIDS virus, disguising itself as a survey, as well as malware that activated after an infected computer was powered on 90 times. After the 90th time, the malware hid directories and encrypted the names of all files on the C drive while displaying a message demanding payment.

While the malware itself was weak, and easily removable with decryption software, the attack set the stage of over 20 years of ransomware and virus attacks and highlighted the need for data security measures.

AIDS Trojan: The Method

The disc contained two files, both written in QuickBASIC 3.0. One contained the “survey” while the other contained the installer for the malware.

Once in the system, the malware did not encrypt the files immediately. Instead, it infected the C: drive of the computer and hijacked AUTOEXEC.BAT in the root directory. AUTOEXEC.BAT was the start-up file used for the Windows operating system at the time. The operating system executed it with each boot.

While the virus did not affect the boot itself, it instead counted the number of times the file was executed. After a certain number of times the malware would trigger, encrypting the names of all the files within the C: drive using symmetrical encryption.

While the files themselves were not affected, the encryption would alter the extension names and prevent them from being executable.

Once the files had been encrypted, the malware would then launch the ransom message. The message claimed that the lease for software from the PC Cyborg Corporation had expired, and the user must pay to renew it. The fees were $189 for a year’s “lease” or $378 for a lifetime “lease.” When adjusted for inflation, this comes out to roughly $400 and $800, respectively. Victims were instructed to mail their money to a PO box in Panama.

This is what the user used to see.  If they attempted to reboot, the process would simply start over again with the hijacked AUTOEXEC.BAT file.

The ransom note that the malware displayed to users, demanding money for a software lease. Source: Wikimedia Commons

AIDS Trojan: Effect

Partly due to the unusual ransom paying method, Popp did not receive much of a payout. Panicked users wiped their hard drives; some research and medical organizations lost years of work in the process. So, the damage was done.

AIDS Trojan was not a particularly widespread, advanced, or profitable piece of malware. However, this was the gate that introduced and popularized the concept of using malware as leverage. Previous viruses such as Creeper would inconvenience the user by filling up their hard drive or destroying users’ files. AIDS Trojan, however, took it a step further by pressurising users into paying money.

The Repercussions of AIDS Trojan

Popp, the attacker, was arrested in the Netherlands in January 1990 after a nervous breakdown at an Amsterdam airport. Police found equipment labelled with “PC Cyborg Corp.” in his baggage. Authorities sent him back to the US, where the FBI arrested him. New Scotland Yard then extradited him to Britain on the charges of blackmail.

However, the court declared Popp mentally unfit to stand for trial in 1992. He apparently took to wearing curlers in his beard to protect himself against radiation and “microorganisms,” sporting a condom on his nose, and repeatedly putting a cardboard box on his head.

The malware itself was fairly easy to resolve. Jim Bates, editorial advisor for Virus Bulletin, authored the programs AIDSOUT and CLEARAID in January 1990. The programs, respectively, removed the malware from the computer and decrypted the files, making them usable again.

Last words

The cyber threat landscape in today’s modern world is becoming increasingly complicated and sophisticated. Attempted assaults and data breaches are unavoidable, and no company wants to be faced with the choice of paying a ransom or losing critical information.

To stay one step ahead of bad actors, companies must tackle cybersecurity and threat protection with the latest technologies. Motherboard IT boasts somes of the best cyber security Dublin has to offer. Our breadth of services and extensive experience will protect your IT infrastructure today, but they will also allow your systems to adapt  as technology and cyber risks evolve. 

Source: Analyzing the History of Ransomware Across Industries | Fortinet