• World CyberCon India
Features Main Story

How PC Cyborg Ransomware Pioneered Hacker’s Philosophy

Regarded as the father of ransomware, Joseph Popp was the sole member of the PC Cyborg Corporation, which oversaw disseminating the AIDS Trojan -- the first ever malware created to

How PC Cyborg Ransomware Pioneered Hacker’s Philosophy
  • PublishedAugust 27, 2022

Ransomware has evolved into an arsenal of destruction, causing damages up to $20 billion in 2021. Reports suggest that losses will continue to grow as several hacker groups launch attacks with the sole intent of extortion. Big ransomware groups such as Lapsus$, Hive, and Conti extort billions of dollars from their victims every year. However, as lucrative as it sounds, the oldest ransomware attacks were not as ruthless as they are now. In fact, the first-ever attack initiated by an American doctor asked its victims to pay only $189. The extortion-intended malware came into existence in the form of revenge against the World Health Organization and pioneered the hacker’s philosophy to extort money from its victims.

AIDS Trojan or PC Cyborg Ransomware was the first ever malware created to extort money and was documented in 1989. It was released via a floppy disk and could replace the AUTOEXEC.BAT file in the system. According to sources, the ransomware was released during the World Health Organization’s AIDS conference in 1989. It was distributed to 20,000 doctors and AID researchers who attended the conference.

Since the internet and emails were out of the reach of the public in 1989, the ransomware was distributed via a floppy disk labeled “AIDS Information – Introductory Diskettes” and claimed to contain survey files for accessing information related to AIDS patients. However, upon using the computer disk, the researchers discovered that they were dealing with something beyond their knowledge and control — the world’s first ransomware!

Who created AIDS Trojan or PC Cyborg Ransomware?

Regarded as the father of ransomware, Joseph Popp was the sole member of the PC Cyborg Corporation, which oversaw disseminating the AIDS Trojan. After being turned down for a position at the World Health Organization, Popp is said to have distributed the AIDS Trojan as retaliation.

The components of the AIDS Trojan (flashing windows, aggressive colors, and alarming words like “Catastrophic System Error”) made the doctors and researchers who received the virus, panic. They eventually gave in to demands or erased files, destroying years of data as they had no prior experience dealing with malware and ransomware.

The Cyborg Ransomware was one of the earliest pieces of malware that used Trojan and ransomware techniques, despite being relatively weak and having a modest impact.

The nature of the demands—requiring a check mailed to a PO Box in Panama—hindered the virus’s overall efficacy. Many didn’t follow through and preferred deleting their data.

Though the program’s language was confusing, and the encryption methods were not particularly advanced, the virus employed some cunning strategies to intimidate its victims. These included delayed onset and scare tactics.

It was a short-lived threat because solutions to decrypt damaged data and uninstall the virus were distributed within the following year. However, the AIDS Trojan’s strategies did serve as a template for modern-day ransomware attacks.

Currently, ransomware has advanced to a point where it is very sophisticated and profitable, with attacks bringing in more than $1 billion annually. Ransomware attacks may cost a company more than $130,000 on average, making them one of the costliest types of online crime.

PC Cyborg Ransomware: How was it used?

Once the corrupted floppy disk was inserted into the victim’s computer systems, it revealed two QuickBASIC 3.0 files. The first one contained the file “survey,” while the other had the installer for the malware. Once installed, the malware didn’t encrypt the files immediately. Instead, it compromised the AUTOEXEC.BAT in the root directory.

The system used the BAT file on the start-up and executed it with each boot. Cyborg Ransomware stayed hidden until the system completed a 90-boot cycle, triggering the program to use symmetrical encryption to encrypt the names of all the files on the C.

The encryption method would change the files’ extension names, thus preventing them from being executed by the user. However, the actual files were not affected as a standard encryption method that didn’t harm the files but instead put them in an encryption mode.

Once the files were encrypted, the software would start shooting ransom messages on the screen, notifying the users that they must pay a certain amount to renew their software lease from PC Cyborg Corporation.

The leases were $189 for a year and $378 for a lifetime and were changed to nearly $400 and $800, respectively, during the inflation periods. Unlike modern payment methods, the 80s was not a technical decade, so the alleged hacker told its victims they needed to send the money to a Panama PO Box.

The impact and aftermath of Cyborg Ransomware

Popp did not get many Ransome rewards, partly because of his peculiar ransom payment technique. His Trojan wasn’t very pervasive and lucrative ransomware.

However, it pioneered the path for modern-day ransomware, which are ten times more powerful and detrimental than Cyborg Ransomware. Though there have been more viruses in the past, like the infamous Creeper, known for clogging users’ hard drives and stealing their contents, AIDS Trojan was one step ahead in its philosophy and intent.

Instead of just playing a prank, Popp’s ransomware pressured its victims into paying money, which paved the way for modern-day hacking methods and collectives still using the ransom model to extort money from its victims.

According to statistics, ransomware has multiplied since then, bringing in billions of dollars as attack revenues. A modern-day ransomware attack can cost as much as $133,000, depending on the target’s position and hacking method.

Regarding the attacker, Popp had a nervous breakdown at an airport in Amsterdam and was later detained in the Netherlands in January 1990. In his luggage, police discovered equipment with the “PC Cyborg Corp.” label.

He was returned to the US by the authorities, where the FBI picked him up. He was then deported to Britain by New Scotland Yard because of blackmail.

In 1992, however, the court ruled that Popp was not competent to stand trial. To defend himself against the court, he supposedly started wearing curlers in his beard and placing a cardboard box on his head. In 2007, he died of old age, leaving a trail of intent-based hacking philosophy behind.

Written By
Ashish Khaitan

Ashish is a technical writer at The Cyber Express. He adores writing about the latest technologies and covering the latest cybersecurity events. In his free time, he likes to play horror and open-world video games.