CSO spotlight: Ransomware

A history of ransomware: The motives and methods behind these evolving attacks

Ransomware was a novelty until Bitcoin emerged. Today, ransomware is big business as gangs keep innovating.

locked data / bitcoins
Metamorworks / Nature / Getty Images

CSO spotlight: Ransomware

Show More

One day in December 1989, Eddy Willems got a floppy disk that changed his life. His boss gave it to him after finding the label intriguing: “AIDS Version 2.0,” a disease that was new and strange at that time. The company, based in Antwerp, Belgium, sold medical insurance among other things, and some AIDS statistics might prove lucrative, the boss thought. So, he asked the 27-year-old Willems to test the software.

A jack-of-all-tech-trades, Willems put the 5.25-inch black plastic diskette into his PC. He ran the program, filling out a whole survey meant to tell if someone could be infected with AIDS or not. “And that was it,” Willems says. “I thought: okay, nothing really special here. I’m probably going to throw it away.” Soon, he switched off the computer and went home.

When he turned on his computer the next day, Willems noticed it had fewer folders, but he didn’t put a lot of thought into it. On the third day, however, when he booted up his computer, something strange happened. "There was a message on the screen asking me to pay," Willems says. “It was asking me to mail $189 to a PO Box in Panama, or I couldn’t use my computer anymore. I thought, 'What is this?'”

Willems switched off the computer and used a bootable floppy to restart it. He saw that his directories were still there, but they were hidden, and the names of the files were changed to strings of random characters. Luckily, the contents of his files were unaltered, only their names looked weird.

“I thought: This was encryption,” he says. “But it was completely ridiculous. The program wasn’t created by a real IT guy.” An analysis of the malware published a month later in the Virus Bulletin January 1990 edition said pretty much the same thing: “While the conception is ingenious and extremely devious, the actual programming is quite untidy.”

aids floppy2 Eddy Willems

The original AIDS Version 2 floppy disk

Willems wrote a small script to restore the names of the files. “It took me actually ten minutes to solve the bloody thing,” he says. Then, he went to his boss again and told him that there was possibly a bug in the AIDS program. “I said the diskette is of no use to us, and I’m throwing it away.” 

AIDS Trojan the first ransomware

Little did he know that the AIDS Trojan, also known as PC Cyborg, was wreaking havoc all over the world. It is believed that 20,000 computer enthusiasts, medical research institutions, and researchers who attended the WHO’s international AIDS conference in Stockholm received diskettes like the one Willems got. This sneaky software was attributed to American evolutionary biologist Dr. Joseph Popp, who held a Ph.D. from Harvard. Popp was arrested for spreading the computer virus, charged with several counts of blackmail. He was, however, declared mentally unfit to stand trial.

When Willems saw the names of his files encrypted, he didn’t think it was a security issue. Only a few days later he watched a report on a Belgian TV station explaining the magnitude of what was happening. He was interviewed by journalists and soon his decryption method was used not only in Belgium, but also in faraway countries such as Japan. “The bloody thing” made him famous and, without him realizing it, it paved the way to a successful career. Willems is now a security evangelist at G DATA.

During that crazy week in December 1989, Willems did one more thing right: He didn't throw away the diskette after all. He proudly keeps it on display at his home because “ït’s one of the only AIDS floppies left in the world,” he says.

The floppy foreshadowed a new type of attack that cost companies billions of dollars in total each year. “I never thought ransomware would become such a trend,” Willems says.

Related:
1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline