The Curious Beginnings of Ransomware

Words and Layout by: Isabelle W.

Ah, ransomware; such a buzzword these days. Yet, few of us really grasp the damage it causes. When it boils down to it, getting infected by ransomware sounds like something that happens to other people — not you. However one fine day, you boot your computer up only to realise that you have been locked out of all your files.

A ransom note hangs on your desktop, usually in the style of old-timey text-based RPGs that you don't ever remember downloading, written in glaringly bad English, using a hodgepodge of fonts, or just generally letting the world know that cybercriminals aren't big on graphic design. The note tells you that you have X amount of time to pay Y amount of Bitcoin to some wallet or your files will be deleted or leaked to the dark web.

Before you think, "I don't really care if these tedious spreadsheets are published on the dark web," remember that this is likely to break privacy legislation and make you incur fines. In many cases, regulatory fines can be larger than the ransom.

It is essential to note as well that paying the ransom does not guarantee that the attackers will provide the decryption key or unlock the system. Of 1200 firms surveyed in a recent report by Veeam , 80% paid but many could not recover their data, nonetheless.

"There is no one-size-fits-all answer to the question of whether an organisation should pay the ransom,” Pragma's Co-Founder Manish Chawda reminds everyone. "Organisations must carefully consider myriad factors before making a decision."

Some of those factors are:

Availability Of Backups

Organisations that have fully- or nearly-complete backup copies of the data affected by the ransomware generally don’t need to pay the ransom — but this does not preclude you from being attacked.

Insurance Coverage

Do you have cyber liability insurance and if so, what does your coverage include? Responding to a ransomware incident can be expensive and it is worth seeing if your coverage will reimburse you for the path you take, and the choices you make.

.

Law Enforcement Request

Law enforcement agencies generally do not recommend paying a ransom. Doing so incentivises threat actors to continue to target companies. And your organisation may even become known as an easy mark.

Dealing with ransomware and its fallout is tricky.

But one of the weirdest things about ransomware is that it’s not new at all.

The postal service actually sent out the first ransomware virus on floppy disk, before email or even the Internet as we know it — way before most of us had even touched a computer at home. Even though it sounds almost cute, this snail-mail version of ransomware was much sneakier than the ones that followed.

Modern ransomware usually gets people to open email attachments that look like they are from trusted senders, like a banking notice or airline receipts. But the 20,000 disks that were sent to 90 countries in December 1989 were far more deceptive.

Victims were found from mailing lists leaked from PC Business World Magazine and the World Health Organisation’s AIDS conference in Stockholm. They were each sent 5.25-inch floppy disks, with instructions on how to run the program, from a mysterious company called "PC Cyborg Corporation".

Even though the company was just a shell, the disks did indeed have a program on them that used an interactive survey to figure out a person's risk of getting AIDS. But they also had what became known as the AIDS Trojan, a virus that locked up a person's files after they restarted their computer a certain number of times.

Interestingly, the disks included leaflets that warned that the software would “adversely affect other program applications” and stated, “you will owe compensation and possible damages to PC Cyborg Corporation and your microcomputer will stop functioning normally.”?This proves that nobody really reads the terms and conditions.

The AIDS Trojan remained dormant on computer systems until 90 reboots had occurred. Afterwards, the virus sprang into action and changed file names and directory names, making the system inoperable. At that point, the ransom demand was presented to the victim.

Users were then told to turn on their printers, which spat out the invoice and repeated directions to wire the money a Panamanian PO Box, which, undoubtedly, was the 80s version of Bitcoin.

Extortion has been a crime for a long time, but when it came in digital form, no one was ready for it.

When the virus was first found, there were no laws in place to deal with this type of crime. People were scared. The disks were sent, on purpose, to medical research institutions along with individuals. Some scientists deleted important data before they realised their hard drives could be recovered; according to Virus Bulletin, an AIDS research group in Italy lost 10 years of work. A number of PC administrators got the boot from their companies due to lax procedures that the AIDS disk exposed. Reports of encrypted root directories persisted for up to a year following the disk's original distribution.

Detective Inspector John Austen, who oversaw the police investigation in the UK, calculated?that about 5% of those who received the disk installed it, so about 1,000 computers were affected. Even though US subscribers appeared on the leaked mailing?list, law enforcement agencies in the UK were curious as to why no disks were sent to the US; this fact raised the possibility that Popp?was familiar with US law from the outset.

A "Kenyan businessman" going by the name of E Ketema had purchased the lists; however, neither he nor Kitain Mekonen, Asrat Wakjira, and Fantu Mekesse —the "directors" of PC Cyborg, a company that was registered in Panama on April 12, 1989—have ever been located.

So, who was behind all this chaos? The bad guy in this case wasn't a disgruntled computer programmer in a dark room from some post-Communist state; it was Dr. Joseph L. Popp, an evolutionary biologist with a PhD from Harvard who was conducting AIDS research at the time.

On Christmas Eve 1989, a Dutch colleague of Detective Inspector John Austen called him to report that a certain Dr. Popp had been arrested at Amsterdam's Schiphol airport while in a distressed state. Upon returning from a seminar held by the World Health Organisation in Nairobi, Popp learned about the disruption caused by the AIDS disk, which was extensively covered in newspapers and PC magazines across the globe. People speculate that Popp had a nervous breakdown and promptly informed the authorities he was in dire straits by writing "DR POPP HAS BEEN POISONED" on somebody else's luggage.

When they searched the good doctor's bags, they found a seal for "PC Cyborg Corp." Soon after, Popp was arrested by the FBI at the home of his parents in Willowick, Ohio. He was then sent back to England to face ten counts of criminal damage and blackmail.

After arriving in London, Popp continued to exhibit increasingly bizarre behaviour as he awaited his trial. According to numerous news reports in the British press, he took precautions against radiation exposure by wearing curlers in his beard, a cardboard box on his head, and condoms on his nose. In November 1991, Judge Geoffrey Rivlin declared Popp unfit to face trial.

If Popp was insane and committed this crime, there was a method to his madness. Virus Bulletin stated that the price of disk duplication and distribution alone was more than ￡10,000 at the time — worth about ￡30,681.52 today. A significant amount of logistics was involved, including the bulk duplication of disks, the purchase and deduplication of mailing lists, packaging, the application of stamps and address labels, the rental of a London accommodation address, the registration of PC Cyborg in Panama, and other tasks.

If every recipient of the disk had paid the full $378 "licence fee" for the programs, Popp would have made as much as $7.5 million. If only 1% of the intended victims had paid the minimum "licence fee" of US$189, he would have received a sum close to US$38,000 This would have been plenty to cover costs.

But the judge ruled him unfit, so he technically got off scot-free.

Some people didn't think Popp was as weakminded as he seemed. The police got evidence from the doctor's digital diary that showed he had been planning his crime for more than a year and a half. This made it harder to believe his lawyers' claims that Popp was having a manic episode when he made the virus. In that report, there was also proof that the doctor had planned to send out two million more disks.

It didn't matter if Popp was evil incarnate or just a fellow who had stopped taking his meds; the panic over the AIDS Trojan was largely pointless. Dr. Popp's idea to use software to blackmail people around the world was mostly just an idea. A type of cryptography called symmetric cryptography made it easy to get back into the computers that he had taken over. After experts figured out what the code meant, decryption tools (in the form of a "AIDSOUT" disk) were made public.

Jim Bates, who decrypted Popp's disk, discovered that the encryption key was "Dr. Joseph Lewis Andrew Popp Jr.". The police also obtained the entire source code to the AIDS disk, although the exact circumstances of this find were not disclosed.

Popp went on to do many more things with his life — such as writing a book and opening a butterfly conservatory in New York. But his real legacy is the ransomware blueprint he left for hackers to use in the future.

While imperfect, it laid the groundwork for the Rise of Ransomware as we know it today.

A pair of innovative cryptographers, Adam L. Young and Moti M. Yung, eventually "fixed" Popp's flawed code. The two pioneered cryptovirology in the mid-90s, introducing the use of asymmetric encryption for malicious purposes, particularly in ransomware.

They demonstrated this through practical examples like the AIDS Trojan, showcasing how public-key cryptography can securely encrypt victims' data, forcing them to pay a ransom for decryption. Their work truly highlighted the weaponisation potential of robust encryption.

Young and Yung did for ransomware what the Bessemer Process did for steel: strengthened it, industrialised it, and made it possible to outsource to foreign soil.

The journey from the floppy disk to complex cryptographic ransomware unveils a trajectory of escalation, urging for a commensurate evolution in our defensive strategies. Now, we find ourselves in the Ransomware-as-a-Service era — a business model between ransomware operators and affiliates in which affiliates, lacking skill or time to develop their own ransomware, pay to launch ransomware attacks developed by operators. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the regular internet.

The need for robust, proactive measures has never been more critical. The Ransomware Survival Guide by Pragma emerges as a beacon of knowledge in these trying times. This comprehensive guide aims to equip individuals and organisations with the necessary tools and insights to not only anticipate potential threats but to effectively mitigate and recover from them should they ever materialise.

Thus, securing your digital future is no longer a luxury, but a necessity.

We're wrapping up this inaugural edition of our monthly newsletter, but the conversation doesn't end here! We'd love to hear your feedback, or better yet, collaborate on future topics you're curious about.

Shoot us an email at [email protected] or hit us up on social media with your thoughts, questions, or suggestions - let's keep this dialogue going!