Feature Your Christmas holidays looked quite different in the ’80s to how they do today. While some will remember what it was like to wake up on the 25th back then, some of you won’t even have been born. The food hasn’t changed much. Turkey, stuffing, Brussels sprouts… that’s all been around for some time.
Yet what some call the good old days, others might describe as the dark ages of IT. Unrecognizable times. The more mature sector of our readership will remember Christmas Day without smartphones, online multiplayer games, and even consumer-grade internet. Their offices were just starting to get internal networks set up and their computers rarely had hard drives. Too expensive. This was the age of the floppy disk.
It was also the age of opportunity for cybercriminals. Forget about so-called “cyber hygiene,” the word “cybersecurity” wouldn’t make it into even the most niche lexicons for years to come. For all intents and purposes, there were no cybercriminals yet. However, what did exist was a chance for true visionaries in the game to capitalize on what we would now call technological illiteracy for monetary gain.
In December 1989, three years after the Alvi brothers cooked up the world’s first PC virus, Brain, and one year after the world’s first internet virus, the Morris Worm, was written and unleashed, we saw what experts now call the first case of commercial ransomware. The AIDS trojan was the brainchild of Harvard-educated Joseph Popp. It wasn’t just innovation, it was invention.
This December, we at Vulture Central observe the 35th anniversary of the AIDS trojan and the major milestones in ransomware since. No traces of the world’s first ransomware will be found anywhere near the payloads of RansomHub, Qilin et al, but Popp will forever be remembered as the grandfather of one of the most compelling forms of crime.
AIDS trojan recap
Dr Popp, originally from Ohio, was an evolutionary biologist and researcher whose work, much of which was carried out in Kenya, was focused on the AIDS illness. Awareness of the condition only started to peak in the mid-to-late Eighties, around the time the trojan was distributed in December 1989.
Over the years that followed, numerous AIDS trojans infected PCs via floppy disks sent in the mail. Popp was identified as the author and person responsible for manually posting around 26,000 of the disks from a South Kensington address.
It’s believed he chose London as a mailing base since it didn’t have computer fraud laws in place at the time, a reality that soon changed with the Computer Misuse Act 1990. He also used stolen mailing lists for PC Business World magazine subscribers and WHO members to gather the victims’ details.
It’s common knowledge now that receiving any kind of unknown digital storage device in the mail or through other means should certainly not be seen as an invitation to plug it in and see what it does, but back in 1989, this would not have crossed the minds of anyone other than a small portion of the population. Popp was truly ahead of his time.
Bear in mind, too, that the Morris Worm – widely considered to be the first computer virus ever – was unleashed a year earlier. For Popp to establish the cybercriminal business model that would continue to stump the finest minds in 2024 this early into IT history illustrates how rarefied his thinking was.
Once installed, the trojan would wait for the infected host to reboot 90 times before displaying what we now call a ransom note in the form of a service license agreement. It instructed victims to send either $189 or $378, depending on whether they’d like to access their PC for a year or a lifetime, to a Panamanian PO box. Purportedly, the money was to be collected by “PC Cyborg Corporation” and used to fund AIDS research.
No one is believed to have ever paid the demands, which of course pale to modern-day equivalents, but it is widely considered the first case of ransomware. There’s also a case to be made that it was the first high-profile example of hacktivism too – a term that wouldn’t be coined until the mid-Nineties.
A breakdown of the trojan was carried out over hundreds of hours and published by Jim Bates, a member of the Institution of Analysts and Programmers, in the January 1990 edition of trade mag Virus Bulletin. He found that there was no actual encryption going on – the trojan just changed file names.
Popp was arrested at Schiphol Airport for distributing the trojan but avoided prison after being declared mentally unfit to stand trial. He was sent back to the US and died in 2006.
Taken too soon
It’s a shame Popp died when he did, not just because he was taken at the age of 55, but also because he didn’t live long enough to see his illicit invention reach the height of its powers.
Not only do we observe the 35th anniversary of the AIDS trojan, but the vultures also acknowledge the anniversary of Gpcode – the first true example of commercial ransomware as we know it today.
The first samples of Gpcode were detected in December 2004, 20 years ago in Russia, but it wasn’t until 2006, the year in which Popp died, that the payload garnered widespread attention.
Kaspersky’s 2006 paper was the first to shine a light on Gpcode – the first trojan to encrypt various file types before dropping an email-based ransom note [PDF] demanding sums of $100 to $200, payable via e-gold or Liberty Reserve accounts. The security shop noted it had been harassing Russians for well over a year by this point.
In some very early cases, there were signs that the person behind Gpcode would only demand around 1,000 rubles for decryption (now worth around $9 but roughly $35 at the time), and was known to be talked down to just half that.
The earliest versions of Gpcode used 56-bit RSA encryption but the author, whose identity is known but hasn’t been publicly revealed, honed their encryption knowledge and two years later opted for more secure encryption schemas that used 1,024-bit keys.
As Cisco Talos’s EMEA lead Martin Lee notes: “I think we can probably surmise that this was successful for the individuals behind it, and it seems to have spawned or at least inspired the creation of a ransomware industry behind it.”
On a call with The Register, Lee reminds this reporter, whose family didn’t own any kind of computer let alone an internet connection when these events transpired, that at this time offices were only starting to receive wide-scale rollouts of Ethernet connections. The global cybersecurity community was still very small too.
His comments not only serve as a reminder of how immature technology was at the time compared to modern standards but also of the reason why ransomware was starting to become potentially more profitable.
Cybercriminals now had the means to reach victims en masse thanks to the internet combined with cyber hygiene levels that were still fairly poor. No more mailing floppies for these guys. But it wasn’t until the advent of Bitcoin and other cryptocurrencies in 2008 that ransomware would have the final piece of the puzzle locked down – a reliable means to secure payments. And the rest, as they say, is history.
The year in review
History lesson over, let’s take a look at Popp’s legacy in 2024.
You probably don’t need me to tell you that things in ransomware are truly bleak. We’re 35 years into understanding the business’s workings and seemingly no closer to agreeing on how to stop it. The industry can’t even reach a consensus on the best way to approach it, let alone how to actually deliver that vision. It leaves us here at the Manchester bureau of Vulture Towers looking back on how the past year has been as devastating as they come, across our land and beyond our seas.
Close to The Register‘s London HQ, we’ve recently seen ransomware at its very worst with the INC Ransom gang targeting Alder Hey Children’s Hospital, the latest of four major hits on the NHS this year, and the second inflicted by the same hands.
Across England’s river Mersey and just days before the attack on Alder Hey, three centers under Wirral University Teaching Hospitals’ remit were hit by separate ransomware crooks who still haven’t revealed themselves, while INC struck NHS Dumfries and Galloway up in Scotland earlier this year. Plus, the impact of Qilin’s attack on pathology services company Synnovis is still felt in some of London’s hospitals today.
Elsewhere in healthcare, UnitedHealth’s ALPHV/BlackCat attack ended up costing the company well in excess of $2 billion, its financials revealed recently, making it one of the costliest attacks in history.
Two children’s hospitals in Chicago were hit at the start of the year – LockBit boasted of its attack on Saint Anthony Hospital, while those behind the attack on Lurie Children’s Hospital days later were too chicken to own up to what they did.
We’ve almost certainly missed some other biggies from this list, but these were the most morally reprehensible ones, to us at least.
Green shoots emerge but skies remain dark
It’s not all bad news, though, as both ALPHV and LockBit, two of the biggest names in the game, were shuttered this year. Sure, other groups have picked up the slack, but the cops’ disruption of LockBit was especially momentous.
Not only did they bring down and comprehensively annihilate the brand’s reputation, but they unmasked the man behind the whole operation. It felt like a big moment from the outside looking in, but for those in charge of bringing down Dmitry Khoroshev, the man suspected of being the gang’s ringleader, it must have been a career highlight.
Operation Endgame would go on to provide the blueprint for future law enforcement disruptions. Operation Cronos, Operation Magnus and others all emulated the same humiliation tactics to varying degrees. It’s an approach we’re told cops will continue to use in lieu of making key arrests.
Although an impressive number of arrests were made this year, including those of Scattered Spider members and LockBit lynchpins, there are no signs of disrupting the business model to the extent that we start seeing a fall in attacks.
National cybersecurity agencies such as CISA and the UK’s NCSC have spent the past year promoting the old idea of implementing secure-by-design (SBD) principles in software. The idea is to reduce the number of vulnerabilities in products before they’re shipped, although history has taught us that this is easier said than done.
We reported from CYBERUK earlier this year that the NCSC believes the industry also needs to introduce market incentives for vendors to make secure products from the outset.
The agency’s CTO, Ollie Whitehouse, said at the time: “We do not have a technology challenge. We know how to build cybersecurity-resilient technology. We have a fundamental market challenge to do so. So, how we incentivize that market to do it will be on us all in the next period if we want to ultimately win.”
Cisco Talos’s Lee offers us a different perspective, one that’s shared by many corners of the industry on this divisive idea. He acknowledges the difficulty in implementing industry-wide SBD, suggesting that simply getting the basics right: deploying endpoint detection and response everywhere, gaining valuable visibility, and ensuring systems are properly configured is enough to stop most breaches in the current environment. Maintaining backups is key too, of course.
“In an ideal world, yes, systems should just be secure. However, software engineering is hard,” he says.
“It’s difficult enough to create software that does what it is supposed to do and fulfills its requirements. For something to be secure, not only does it need to do what it’s supposed to do, but never do anything else.
“Nobody wants to write vulnerabilities. No one goes out in the morning and thinks, yeah, do you know what? I’m going to code a really big software vulnerability today. Nobody does that. But these things creep in simply because software engineering is hard.”
So some experts believe it’s not feasible to stamp out vulnerabilities at source and we can’t arrest many of the major players due to absent extradition agreements with hostile states. The other main approach to stopping ransomware for good is the most controversial of all – banning payments – but, again, the experts can’t agree on that either.
Since the vultures examined the arguments around banning payments last Christmas, the industry remains at a crossroads on the matter with little material progress to show for the year. Will 2025 be when things change for the better? Probably not. But for now, just ensure your backups are updated before Jesus’ birthday and hope nothing goes wrong over the holidays before you go back to taking up defensive positions again next year. ®
0 Comments