What Was The First Ransomware Virus?

BY Ray Stevens / ON May 17, 2021

One of the biggest growing problems in computer security is the growing proliferation of cyberattacks which are far more open and threatening in nature.

Ransomware made international news in a way it had never before with the WannaCry ransom attack, which affected computers in over 150 countries and targeted the NHS, the Russian Interior Ministry as well as Renault, Honda, Deutsche Bahn and FedEx.

Whilst WannaCry was one of the biggest ransomware attacks in terms of scope, it was far from the first, and the idea of open virus attacks that relied on a combination of social engineering, data encryption and a more open, threatening type of attack can be traced back to the late 1980s.

Interestingly, the first-ever ransomware attack was supposedly intended to be for a good cause.

When Viruses Stopped Hiding

Ransomware is fairly unique among the different kinds of computer viruses and malware, as the aim is typically far more obvious than either data scraping, self-replication or destruction, but is instead focused on extortion.

Prior to this, most viruses were spread as a prank, or by accident, or as a rather misguided form of copy protection. Even more obviously destructive viruses such as the infamous Byte Bandit were mostly developed by cracking and hacking groups as much to show off as cause trouble.

The PC Cyborg, also known as the AIDS Trojan, was completely different and developed for different reasons.

It was developed in 1989, infected DOS-based computers and worked by replacing the AUTOEXEC.BAT file, which executed whenever the computer booted up and would be used to start up mouse drivers, virus scanners and other startup features.

The PC Cyborg would install a counter which would check how often the computer had been booted up, and once it hit 90 boots, it would make every directory hidden and encrypted the names of every file on the C: drive, which was (and in many cases still is) the main drive.

This effectively made the system unusable and displayed a note asking the end-user to pay to “renew” the license for the software by sending money ($189 for 365 uses, $370 for lifetime uses) to PC Cyborg Corporation via a PO box located in Panama.

As interesting as the system’s effect was, the origins of the virus and its unique creator are even more fascinating.

The author was an evolutionary biologist who studied at Harvard University known as Dr Joseph Popp, who sent an “AIDS Information Introductory Diskette” through a mailing list he was subscribed to.

Rather than simply sell the disk to interested academic parties, he would get money once they had used it, and would later claim that he was donating proceeds to AIDS research as part of his role as a consultant for the WHO in Kenya and collaborator of the Flying Doctors.

Ultimately, he was declared mentally unfit to stand trial in the UK and was deported to his home in America.

Interestingly, once programmers got their hands on the PC Cyborg program and explored how it worked, it turned out it was actually exceptionally easy to fix the damage caused without paying any money.

It only changed filenames and did so via an encryption key so simple that one could use the original program itself to decode itself. Once this was found, a simple removal program called CLEARAID was made to fix the damage.

It also highlighted the early issues ransomware extortionists had with hiding their identity, given that blackmail was illegal. Dr Popp thought he was safe by using an offshore account, but his clear ties to the virus was his undoing.

Share: