First ransomware attack
3 min read
First Ransomware Attack
The first large-scale ransomware incident was recorded in 1989 and featured Joseph Popp, a U.S. researcher involved in HIV studies. His strategy was as ingenious as it was disturbing: he sent around 20,000 floppy disks to attendees of a WHO conference.
On the surface, the content included a questionnaire to assess infection risk. In reality, it contained the infamous AIDS Trojan, a malicious program that used a very simple symmetric encryption to block access to the victims' files. In exchange for regaining control of their data, Popp demanded $189.
Distribution Method: Creativity Born of Necessity
Since the internet was still in its infancy, Popp used a method that seems rudimentary today but was innovative at the time. He obtained mailing lists of subscribers to an HIV conference and the PC Business World magazine. He then sent the floppy disks labeled βInformation about AIDS β Introductory Diskβ, along with detailed instructions.
The software, issued by a fictitious company called PC Cyborg Corporation, included a contract requiring a $378 payment to use the program. Of course, few took it seriously.
After several reboots, the malware began its work: it encrypted the file names on the hard drive, replacing them with random character strings. This made it impossible to identify the file type, blocking normal system use.
At the same time, a message appeared on the screen: the license had expired, and to recover it, a payment had to be made. The money was to be sent to a bank account in Panama.
A Problem with a Quick Fix
The use of symmetric encryption worked against the attacker, as the key was embedded in the malware code. Analyzing it allowed the files to be restored. In January 1990, Jim Bates, editorial advisor at Virus Bulletin, published AIDSOUT and CLEARAID utilities to clean the infected systems.
Joseph Popp was arrested but declared mentally unstable. Years later, in 2000, he published a book titled βPopular Evolution: Life Lessons from Anthropology.β Although he did not profit from the attack, his action set the precedent for what we now know as modern ransomware.
The Concept Evolves
For a while, the idea remained dormant, until 1995, when cryptographers Adam Young and Moti Yung explored how to make it far more powerful. They proposed a ransomware model based on asymmetric encryption, which prevented the private key needed to decrypt files from being included in the malware code.
They even envisioned payments being made via digital currency, which did not yet exist. They presented these ideas in 1996 at the IEEE Security and Privacy conference. Many dismissed it as theoretical curiosity, but over time it became clear they had predicted the future.
In 2004, they published the book βMalicious Cryptography: Exposing Cryptovirologyβ, which compiled their research.
From Theory to a Multi-Million Dollar Business
By 2011, ransomware developers began implementing these ideas aggressively. One example was Gpcode, which already used the RSA algorithm. By 2015, the rise of cryptocurrencies like Bitcoin (and later Monero) provided attackers with the perfect tool: anonymous payments, untraceable transactions, and multi-million-dollar ransom demands.
What began as an experiment on a floppy disk in 1989 eventually became one of the most lucrative forms of cybercrime in history.
At Darkeye Industries, we tell these stories because understanding the past helps us anticipate the future of ransomware:
π Darkeye