The curious case of the first reported Ransomware

Ransomware predates email and the Internet as we know it. The unlikely story of the first ever recorded case of ransomware had elements of a movie script: A worldwide pandemic, the World health Organisation (WHO), an international convention in Stockholm, organisations across the world compromised, airport authorities, multiple law enforcement agencies and a legal system struggling to come to terms with the offence.

The PC Cyborg virus or AIDS Trojan distributed in 1989, was the first ever ransomware virus documented. Created by Evolutionary Biologist Dr Joseph Popp, a part time consultant for the WHO working on research into the AIDS virus.

Dr Popp distributed 20,000 disks to AIDS researchers, most of whom were attendees at an AIDS conference held by the WHO in Stockholm in 1989. The disks were labelled “AIDS Information - Introductory Diskettes”, and were described as containing a computer-based questionnaire to gauge the risk of contracting AIDS

They also included a leaflet that warned that the software would “adversely affect other program applications” and stated, “you will owe compensation and possible damages to PC Cyborg Corporation and your microcomputer will stop functioning normally.”. Despite the warning many went ahead and installed the software, proving that nobody really reads the terms and conditions.

The disks were infected with a malware that was only activated after the computer was turned on 90 times. The computer then stopped functioning and displayed a ransom note on the screen

Users were then instructed to turn on their printers which then printed a demand (ransom note) for a minimum license fee of $189, or a full licence fee of $378.00, to be paid to PC Cyborg Corporation at a PO box in Panama.

When they realised their drives had been compromised some victims panicked and deleted their drives, according to press reports an Italian AIDS organisation lost 10 years of invaluable research data.

A few weeks after unleashing the virus, Dr Popp was at a WHO seminar in Nairobi and the AIDS trojan was a major topic of concern. When traveling back to the U.S. he attracted the attention of authorities at Schiphol airport when scribbling, “DR. POPP HAS BEEN POISONED” on the suitcase of a fellow passenger.

His baggage was searched and links to the PC Cyborg corporation were discovered. Back in the United States Dr Popp was placed under arrest by the FBI on ten counts of blackmail and criminal damage. He was then extradited to Britain, where the virus was first reported. At the time, there were no specific laws for dealing with this type of cybercrime.

Was the motive for this attack, as suggested in some newspapers, simply because he had recently been rejected for a job at the WHO?

His lawyers claimed that Dr Popp planned on donating his ransomware profits to alternative AIDS education programs, a modern day “Robin Hood” intent on triggering alternative research.

In November of 1991, Judge Geoffrey Rivlin determined that Popp was unfit to stand trial and deported him to the US. Back in the USA he continued his career in evolutionary science, published a book called “Popular Evolution and had an indoor tropical garden, The Josepf L Popp Butterfly Conservatory, in upstate New York, named after him.

Several years later, after studying Dr Popp's code, cryptographers Adam Young and Moti Yung pioneered crypto virology and the use of asymmetric encryption for malicious purposes. Demonstrating how public-key cryptography can securely encrypt victims' data, forcing them to pay a ransom for decryption.

Escalating and evolving threat.

Not only has the sophistication and complexity of ransomware developed over the last 30 years, the methods of distributing Ransomware have evolved. From handing out floppy disks to sending attachments or executable code by email, malicious links on websites and exploiting network vulnerabilities. This has massively escalated the threat, and criminals can now buy “Ransomware as a service”, paying someone with the necessary skills to launch ransomware attacks for them.

How can organisations protect against this ever-growing menace.

Victims can use regular backups to recover from a ransomware attack. Being able to restore from a trusted back up is key to defeating this type of cybercrime. However, before restoring from back up its important to ensure that backups have not also been impacted and tracing back the origin of the attack can be invaluable in this scenario.

Law enforcement officers who are investigating strains of Ransomware can notify active Police CyberAlarm Members who may have received traffic from known indicators of compromise (IOCs) associated with the ransomware. From the suspicious activity data gathered by Police CyberAlarm (PCA) members, Police Protect teams in several regions have been actively warning PCA Members of IOCs from previously confirmed suspicious sources.

Staying ahead of evolving ransomware strains can help to protect members from being a victim to a ransomware attack. By highlighting known instances where attackers may have breached a network, can help to bolster defences and increase the chance of mitigation against the threat. Becoming an active member of Police CyberAlarm can help in protecting your organisation. To register your interest in becoming a member of PCA and take advantage of regular reporting and notifications, please do so here: https://cyberalarm.police.uk/register/

Actions to Take After a Ransomware Attack

A ransomware attack can be an overwhelming experience but knowing how to react can minimize damage and increase the chances of recovery. Below are actions to take in the event of a ransomware attack:

• Notify your IT support so they can react.
• Disconnect the infected devices (wired, wireless or mobile phone based).
• Consider turning off Wi-Fi connections and disconnecting from the internet.
• Reset credentials including passwords (especially administrator and system accounts).
• Safely wipe the infected devices and reinstall the OS.
• Before restoring verify that a backup is free from any malware.
• Connect to a clean network to download, install and update the OS and other software.
• Install, update, and run antivirus software.
• Reconnect to your network.
• Monitor network traffic and run antivirus scans to identify if any infection remains.
• Minimise the chances malicious content reaching your devices through good cyber hygiene
• Blocking websites that are known to be malicious
• Train staff to never click on links from untrusted sources
• Filtering (mail/Spam) to only allow file types you would expect to receive
• Control remote access services and use Multi Factor Authentication (MFA)
• Patch vulnerabilities as soon as possible to prevent exploitation
• Regularly review and remove redundant user permissions.

For more details about how to protect your organisation visit The National Cyber Security Centre (NCSC) website. The website contains a wealth of free advice for organisations on what to do if you are victim of a ransomware attack as well as details of the many others cyber threats.

More detailed advice can be found here