Jump to content

The bizarre, pre-internet history of ransomware


Reefa

Recommended Posts

A Pynchon-esque tangle of AIDS, floppy disks,and Panamanian PO Boxes, this is Ransomware’s stranger-than-fiction origin story.

Two months ago, I wrote a short article about helping my mother deal with CryptoWall 2.0., a form of computer virus more broadly known as ransomware. Basically what happens is this: You flip open your laptop to find you have been locked out of all your files. Then a ransom note hovers into view, written in bad English and a potpourri of fonts, explaining you have a week to pay $500 in bitcoins for a decryption key. If you don’t pay, your ransom increases to $1000. After that, you lose access to your data forever. Really. No amount of genius barhopping will save you; neither the FBI nor top security experts have been able to crack this virus, which is why two police departments in the U.S. (one in Swansea, Massachusetts, the other in Dickson, Tennessee) have admitted to paying malware ransoms after having their databases locked.

I knew it was an interesting story, but didn’t anticipate it would plunge me into the kind of micro-media storm I’d seen engulf journalist friends of mine, but never experienced myself. All the major TV networks contacted me — ABC, NBC, CBS, FOX — as did NPR and about a dozen regional radio shows. The article remained at the top of the New York Times most-emailed list for a solid week. Everywhere I went, people stopped to ask how my mother was doing using a low, concerned tone that implied chemotherapy or pet death. My mother had paid the ransom, gotten back her files and bought herself a new computer, I’d reply. She was fine. And I couldn’t help but wonder whether ransomware was simply the Fear of the Month — like margarine during the 80s, or the threat to sperm-count if guys kept a cell phone too close to their balls in 2008. Or does this fear really presage a dystopian future where armies of zombified-MacBook Airs murderize us in our sleep?

I decided to interview the CryptoWall hackers to find out.

You probably think it is laughable that a cybercriminal on the FBI’s most wanted list would agree to speak to me on the record, and I did too. But Chester Wisniewski, the cyber-security expert I quoted in my Times piece, assured me these guys “have egos as big as houses,” and have been known to say yes. So I had Chester infect a proxy computer for me and wrote to the hackers using CryptoWall’s built-in message interface (victims can use it in case they have “payment questions”) to see whether they would answer my questions via an anonymous chat service. The response arrived within twenty-four hours: “sorry no way.”

I thought “sorry” was funny.

Having failed to query the current (and likely future) perpetrators of ransomware, I decided to turn to the past, specifically to the very first instance of ransomware. Was the perp ever caught? What was the public response? And how has ransomware evolved technologically since then? Perhaps these answers would help me better understand the legitimacy of the ransomware threat.

But one of the weirdest things about ransomwareis that it’s not new at all.

1*S0RNJsEOtP643mPigLBudg.jpeg

A floppy disk like this one was used to distribute the first ransomware virus.

The first ransomware virus predates e-mail, even the Internet as we know it, and was distributed on floppy disk by the postal service. It sounds quaint, but in some ways this horse-and-buggy version was even more insidious than its modern descendants. Contemporary ransomware tends to bait victims using legitimate-looking email attachments — a fake invoice from UPS, or a receipt from Delta airlines. But the 20,000 disks dispatched to 90 countries in December of 1989 were masquerading as something far more evil: AIDS education software.

The package that greeted victims abroad (the disks were never distributed within the U.S.) was stamped “PC Cyborg Corporation.” Although the company was fictitious, the disk inside really did include a program that measured a person’s risk of contracting AIDS based on their responses to an interactive survey. It also contained what came to be known as the “AIDS” Trojan, a virus that encrypted a victim’s files after they had rebooted their computer a fixed number of times.

In a camera-ready twist, the demand for ransom actually did come in the form of an analog note. Users were instructed to turn on their printers, which promptly spat out a demand for a “licensing fee” of $189 to be paid using the 20th century, black-box equivalent of bitcoin: by sending money to a Panamanian PO Box. Only then would the victim receive their decryption software.

Extortion may be an age-old crime, but its sudden appearance in digital form caught the public completely unprepared. In England, where the virus was first reported, there weren’t even laws on the books for dealing with this brand of cyber crime (prosecutors would have to rely on the 1968 Theft Act). Victims panicked. The disks had intentionally been distributed to hundreds of medical research institutions. Realizing their hard-drives had been compromised, some scientists pre-emptively deleted valuable data; according to The Independent, one AIDS organization in Italy lost 10 years of work.

1*QaQZQLqqtu7eP4LEF0Xfgw.jpeg

Left: The harmless-seeming app install screen. / Right: The ransomware message that threatened users a few days later.

So who was the criminal mastermind that prompted Scotland Yard’s Computer Unit to launch their largest and most expensive investigation? In this case the perp wasn’t a thwarted computer programmer from some post-Communist backwater, but an evolutionary biologist with a PhD from Harvard: Dr. Joseph L. Popp.

1*5rOvYwRtsnk9J42yowmwbw.png

Joseph Popp, the creator of the first ransomware virus, was a Harvard-educated anthropologist.

And if that name sounds familiar, perhaps you’ve paid a visit to the eponymous butterfly conservatory he created with his daughter in upstate New York after he was let off scot-free.

No one knows exactly what provoked Popp to unleash his malevolent code.

Many of his victims were delegates who attended the World Health Organization’s (WHO) international AIDS conference in Stockholm the previous year. But Popp himself served as a part-time consultant for the WHO (in Kenya) and was actively engaged in AIDS research. These paradoxical facts, coupled with his lawyers’ later claims that Popp planned on donating his ransomware profits to alternative AIDS education programs, led some to conclude the doctor was actually some kind of crypto-anarchist Robin Hood trying to trigger reforms. The Guardian provided a much more straightforward motive; Popp had recently been rejected for a job at the WHO.

But the excuse that the Judge ultimately accepted, and which set Popp free, was simply that the doctor was insane.

For this hypothesis, there was ample evidence, starting with the clue that led to Popp’s apprehension. Less than two weeks after unleashing the virus, Popp became unnerved while traveling back to the U.S. from a WHO seminar on AIDS in Nairobi, where news of the AIDS Trojan had been a hot topic. He caught the attention of authorities at Amsterdam’s Schiphol airport after scribbling, “DR. POPP HAS BEEN POISONED” on the suitcase of a fellow passenger. A baggage search led to the discovery of a seal labeled “PC Cyborg Corp.” Soon afterward, Popp was arrested by the FBI at his parents’ home in Willowick, Ohio and then extradited to Britain on ten counts of blackmail and criminal damage.

After arriving in London, Dr. Popp continued exhibiting increasingly strange behavior while he awaited trial. According to numerous accounts in the British press, this included wearing condoms on his nose, a cardboard box on his head, and putting curlers in his beard to ward off the threat of radiation. In November of 1991, Judge Geoffrey Rivlin determined that Popp was unfit to stand trial.

Not everyone believed that Popp was as fragile as he appeared. Evidence from a digital diary obtained by the police revealed the doctor had been planning his crime for more than a year and a half, which cast doubt on lawyers’ claims that Popp had been in the grip of a manic episode when he created the virus. A lengthy report published by Virus Bulletin in 1992 further detailed the massive logistical effort involved in copying, packaging and posting the 20,000 disks.

That report also revealed evidence the doctor had been planning to disseminate an additional 2 million disks.

Whether Popp was Voldemort-made-flesh, or merely a guy who went off his meds, the frenzied response to the AIDS Trojan turned out to be unwarranted. Dr. Popp’s evil innovation, turning software into a vehicle for international blackmail, was largely conceptual. The form of cryptography he’d used to hijack victims’ hard drives, known as symmetric cryptography, was easily reversible. Once computer experts analyzed the code, decryption tools (in the form of an “AIDSOUT” disk) were made freely available.

Back in the United States, Dr. Popp resumed a varied career, which had begun in East Africa studying hamadryas baboons, and culminated in Oneonta, New York, with the opening of the Joseph L. Popp Jr. Butterfly Conservatory, “a fantastic family activity and learning experience for all ages.” His real legacy, however, is the ransomware blueprint he bequeathed to later generations of hackers. Six years after the AIDS Trojan was first unleashed, two pioneering cryptographers — Adam L. Young and Moti M. Yung — patched the holes in Popp’s leaky programming by developing a class of algorithms known as public-key cryptography.

This innovation basically did for ransomware what the Bessemer processdid for steel.

Recent iterations of extortion-based malware, such as CryptoLocker, have grown increasingly bulletproof. The latest such virus, VirRansom, emerged just a couple of months ago; computer security experts have already dubbed it the “AIDS of ransomware.”

1*m5wBQDcG-35MM94y_Ih36g.jpeg

A recent ransomware lock screen demands bitcoins.

It’s not the first time AIDS has been invoked as a metaphor to convey the destructive power of malware, but I’ve come to believe there is an intimate psychological link between ransomware in particular and the virus that first inspired its creation. Both carry with them the whiff of original sin — the errant click, the failure to adequately back up, or keep current on all those myriad patches and security updates. Let’s face it; we are laden with cyber-guilt. The ransom note arrives as a diagnosis, but we interpret it as an indictment of our messy, optimistic, impulsive, computer-using selves. And we are right.

Because our fear of ransomware isn’t about the shadowy hackers themselves, would-be peddlers of butterflies or JavaScript programmers gone bad; it’s about us.

Computers are no longer just machines to rely on. They are second brains, extensions of our innermost selves, clandestine caves in which to stash our memories, secrets, dreams, and hidden vices.

There are things our computers know about us that no human does.

And as that symbiotic relationship grows, so does the fear of “infection” — that someone else can actually see inside you. Aside from the shame of being infected, and the shame of paying the ransom when you realize there is no cure, the greatest shame is perhaps simply in knowing how much more you would pay for the assurance that you alone hold the keys to the sanctuary. We can never be safe enough.

https://medium.com/un-hackable/the-bizarre-pre-internet-history-of-ransomware-bb480a652b4b
Link to comment
Share on other sites


  • Views 1.4k
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...