Close this search box.

Throwback Attack: The AIDS Trojan unleashes ransomware on the world in 1989

Courtesy of CFE Media and Technology

Ransomware attacks on the health care industry skyrocketed in the last year as bad actors looked to profit from the chaos brought on by the COVID-19 global pandemic. But health care and ransomware have a long history together. In fact, the first-ever ransomware attack, the AIDS Trojan, targeted the health care industry all the way back in 1989.

Of course, technology was a little different in the 1980s; this was well before the days of spear-phishing or ransomware-as-a-service. That first-recorded attack, which looks archaic when viewed through today’s lens, was waged using 5.25-in. floppy disks and the postal service. It did, however, set the stage for the more sophisticated attacks that have followed since.

The first ransomware targeted AIDS researchers and came courtesy of evolutionary biologist and Harvard Ph.D. Joseph Popp, an AIDS researcher himself. In 1989, the AIDS epidemic was grabbing headlines everywhere, with both the death of photographer Robert Mapplethorpe and the number of reported cases in the U.S. reaching 100,000 for the first time, according to a timeline on Popp took advantage of this increased interest by distributing 20,000 infected floppy disks to researchers from 90 countries at the World Health Organization’s (WHO) AIDS conference. He claimed the disks contained a computer-based questionnaire that helped gauge a person’s risk of contracting the AIDS virus.

Though the questionnaire was real, Popp’s disks unfortunately were not created to further research efforts. They were instead infected with a malware program that initially sat dormant in users’ systems. But when unsuspecting scientists booted up their computers for the 90th time after infection, a ransom note appeared on the screen saying, “It is time to pay for your software lease from PC Cyborg Corporation,” and demanding between $189 and $378 for different services. According to a report from cybersecurity company Palo Alto Networks, the malware became known as the digital version of the AIDS virus and was called the AIDS Trojan or the PC Cyborg Trojan.

While the virus was primitive compared to modern-day cyber warfare, it used many of the hallmarks of future ransomware attacks, scrambling the contents of victims’ computers by encrypting filenames and then offering to unlock them for a fee. The form of cryptography Popp used, called symmetric cryptography, was not overly complicated or difficult to unscramble, but no one had ever experienced extortion in the digital realm. This caused panic in many of the medical institutions that were hit by the virus, with some even deleting valuable data.

But unfortunately for Popp, there was no simple online currency like Bitcoin to make his job easier. Instead, he asked his victims to mail their payment to a P.O. Box in Panama. According to an Atlantic article on the attack, he ultimately didn’t profit much from his scheme.

“You must enclose a bankers draft, cashier’s check or international money order payable to PC Cyborg Corporation for the full amount of $189 or $378 with your order,” read the message on users’ screens.

Security professionals were soon able to unlock files encrypted by the virus, and decryption tools were made readily, and freely, available. Popp was arrested by the FBI at his parents’ home in Ohio and extradited to Britain, where the virus was first discovered, to face 10 counts of blackmail and criminal damage. But while awaiting trial, he exhibited increasingly erratic behavior, according to journalist Alina Simone in her history of ransomware, and he was declared unfit to stand trial in 1991.

“According to numerous accounts in the British press, this included wearing condoms on his nose, a cardboard box on his head, and putting curlers in his beard to ward off the threat of radiation,” Simone wrote.

Regardless of his mental state, Popp reportedly planned his attack for more than a year and a half and intended to distribute an additional 2 million disks. Still, he lived the remainder of his life — he died in 2007 — relatively consequence-free, and there was never a consensus on what motivated him to unleash this precursor to modern ransomware. His lawyers positioned him as a Robin Hood figure who planned to donate the proceeds from his criminal enterprise to AIDS education programs, but The Guardian posited it was likely because he had recently been rejected for a job at the WHO and was looking for revenge.

Many of the practices used by modern ransomware hackers stem, however indirectly, from Popp’s early effort. Most attacks use scare tactics to inform users their systems have been compromised, and file encryption could be considered the hallmark of today’s ransomware.

In many ways, hospitals and health care systems still make an ideal target for hackers, especially in the pandemic age. Ransomware criminals are looking for organizations that cannot afford downtime and disruptions to the supply chain. That’s why companies like Molson-Coors, Colonial Pipeline and JBS were particularly vulnerable targets.

According to a recent report from IBM Security, attacks on industries supporting COVID-19 response efforts doubled in 2020 “as threat actors sought to profit from the unprecedented socioeconomic, business and political challenges brought on by the COVID-19 pandemic. In 2020, IBM Security X-Force observed attackers pivoting their attacks to businesses for which global COVID-19 response efforts heavily relied, such as hospitals, medical and pharmaceutical manufacturers, as well as energy companies powering the COVID-19 supply chain.”

Blackfog’s State of Ransomware 2021 blog, which tracks publicized ransomware attacks by month, has already recorded 10 ransomware attacks in the health care sector in 2021, including hits on health care giant Scripps, North Carolina-based Allergy Partners and Australian provider UnitingCare Queensland.

“In essence, the pandemic reshaped what is considered critical infrastructure today, and attackers took note. Many organizations were pushed to the front lines of response efforts for the first time – whether to support COVID-19 research, uphold vaccine and food supply chains, or produce personal protective equipment,” said Nick Rossmann, global threat intelligence lead, IBM Security X-Force, in a press release from the company. “Attackers’ victimology shifted as the COVID-19 timeline of events unfolded, indicating yet again, the adaptability, resourcefulness and persistence of cyber adversaries.”

Ransomware didn’t really take off in popularity until the early 2000s, when technology could more readily be weaponized, but the AIDS Trojan laid the groundwork for what was to come and marked the health care industry as ripe for exploitation.




Keep your finger on the pulse of top industry news