(CNN)Eddy Willems was working for an insurance company in Belgium back in December 1989 when he popped the floppy disc into his computer.
The disc was one of 20,000 sent in the mail to attendees of the World Health Organization’s AIDS conference in Stockholm, and Willems’ boss had asked him to check what was on it.Willems was expecting to see medical research when the disc’s contents loaded. Instead he became a victim of the first act of ransomware — more than 30 years before the ransomware attack on the US Colonial Pipeline ignited a gas shortage in parts of the US last week.
A few days after inserting the disc, Willems’ computer locked and a message appeared demanding that he send $189 in an envelope to a PO Box in Panama. “I didn’t pay the ransom or lose any data because I figured out how to reverse the situation,” he told CNN Business.
He was one of the lucky ones: Some people lost their life’s work.Read More”I started to get calls from medical institutions and organizations asking how I got around it,” said Willems, who is now a cybersecurity expert at G Data, which developed the world’s first commercial antivirus solution in 1987. “The incident created a lot of damage back in those days. People lost a lot of work. It was not a marginal thing — it was a big thing, even then.”
This disc was one of 20,000 sent in the mail to attendees of the World Health Organization’s AIDS conference in StockholmThe scheme made headlines and appeared in Virus Bulletin, a security magazine for professionals, a month later: “While the conception is ingenious and extremely devious, the actual programming is quite untidy,” the analysis said. Although it was a pretty basic malware, it was the first time many people had ever heard of the concept — or of digital extortion. It’s unclear if any people or organizations paid the ransom. The floppy discs were sent to addresses all over the world obtained from a mailing list. Law enforcement traced the effort to a PO box owned by a Harvard-taught evolutionary biologist named Joseph Popp, who was conducting AIDS research at the time. He was arrested and charged with multiple counts of blackmail, and is widely credited with being the inventor of ransomware, according to security news website CSOnline.com.”Even to this day, no one really knows why he did this,” said Willems, noting how costly and time intensive it would have been to mail that number of floppy discs to so many people. “He was very influenced by something. Perhaps someone else was involved — as a biologist, how did he have money to pay for all of those discs? Was he angry about the research? Nobody knows.” Some reports indicate Popp had been rejected by WHO for a job opportunity.
Eddy Willems with his original floppy disc with ransomware from 1989After his arrest at Amsterdam’s Schiphol Airport, Popp was sent back to the United States and imprisoned. He allegedly told authorities he had planned to donate the ransom money to AIDS research. His attorneys also argued he was not fit to stand trial; he reportedly wore condoms on his nose and curlers in his beard to prove he was unwell, according to journalist Alina Simone. (A judge ruled in his favor.) Popp died in 2007. The case became a big discussion point, and the legacy of his crime persists to this day. The US Justice Department recently said 2020 was “the worst year to date for ransomware attacks.” Security experts believe ransomware attacks against both corporations and individuals will continue to grow because they’re easy to execute, hard to trace and victims can be exploited out of a lot of money.Ransomware typically wreaks havoc on computer systems either after someone clicks on a malicious link and unknowingly installs software or from a vulnerability on an outdated server.
Ransomware took down the Colonial Pipeline. You could be at risk tooOne of the biggest problems about ransomware nowadays is that ransoms are often paid with cryptocurrency, such as bitcoin, which is exchanged anonymously and not traceable. While most large-scale ransomware activity stems from organized crime groups — as is the case with the US pipeline — Popp seemed to have acted alone.”More than an actual criminal mastermind, he was what you would classify as a ‘lone actor’ as opposed to an organized crime syndicate or state sponsored actor,” said Michela Menting, a research director at market research firm ABI Research. “His motivations appeared to be quite personal. … He obviously had strong feelings about AIDS and AIDS research.”While the reasons for his act are unknown, Popp made a big effort to clear his name and moved on to other pursuits, Menting said. He self-published a self-help book called “Popular Evolution,” for instance, in which he advocated that the marriage age be lowered and young women focus their lives on birthing children. Before his death, Popp created The Joseph L. Popp, Jr. Butterfly Conservatory in upstate New York. The conservatory did not respond to a request for comment.
The floppy disc, now a piece of security history and likely one of the few left in the world, hangs on Willems’ living room wall. “A museum offered me $1,000 for it, but I’ve decided to keep it,” he said.