The first known ransomware attack hit the healthcare industry way back in 1989. According to the cybersecurity blog Practically Unhackable, a biologist by the name of Joseph Popp sent close to 20,000 floppy disks to researchers claiming they contained a survey which would help scientists determine a patient’s risk for contracting HIV.
What was left unmentioned in the promotional material was that the disks also encrypted file names on infected computers — rendering them practically unusable. Instead of their typical boot screens, victims were shown a message demanding a $189 payment in order to unlock the system.
Popp, who had a PhD from Harvard, was an evolutionary biologist and fell outside of what we think of today as a stereotypical hacker. According to The Atlantic, after he was arrested and charged with blackmail, Popp insisted that he intended to donate the proceeds from his scheme to HIV-related research.
In a camera-ready twist, the demand for ransom actually did come in the form of an analog note. Users were instructed to turn on their printers, which promptly spat out a demand for a “licensing fee” of $189 to be paid using the 20th century, black-box equivalent of bitcoin: by sending money to a Panamanian PO Box. Only then would the victim receive their decryption software.
The package that greeted victims abroad (the disks were never distributed within the U.S.) was stamped “PC Cyborg Corporation.” Although the company was fictitious, the disk inside really did include a program that measured a person’s risk of contracting AIDS based on their responses to an interactive survey. It also contained what came to be known as the “AIDS” Trojan, a virus that encrypted a victim’s files after they had rebooted their computer a fixed number of times.
Regardless of his true motives, the success of Popp’s attack was limited by two key factors: The floppy disks were sent out via the mail system, and the encryption employed by what became known as PC Cyborg was reversible without his help.
Extortion may be an age-old crime, but its sudden appearance in digital form caught the public completely unprepared. In England, where the virus was first reported, there weren’t even laws on the books for dealing with this brand of cyber crime (prosecutors would have to rely on the 1968 Theft Act). Victims panicked. The disks had intentionally been distributed to hundreds of medical research institutions. Realizing their hard-drives had been compromised, some scientists pre-emptively deleted valuable data; according to The Independent, one AIDS organization in Italy lost 10 years of work!
No one knows exactly what provoked Popp to unleash his malevolent code.
Many of his victims were delegates who attended the World Health Organization’s (WHO) international AIDS conference in Stockholm the previous year. But Popp himself served as a part-time consultant for the WHO (in Kenya) and was actively engaged in AIDS research. These paradoxical facts, coupled with his lawyers’ later claims that Popp planned on donating his ransomware profits to alternative AIDS education programs, led some to conclude the doctor was actually some kind of crypto-anarchist Robin Hood trying to trigger reforms. The Guardian provided a much more straightforward motive; Popp had recently been rejected for a job at the WHO.
Six years after the AIDS Trojan was first unleashed, two pioneering cryptographers — Adam L. Young and Moti M. Yung — patched the holes in Popp’s leaky programming by developing a class of algorithms known as public-key cryptography.
Twenty-eight years later, things have changed for the worse in the world of ransomware.