A free disk stuck to the front of a computer magazine changed Eddy Willems' life forever.
In December 1989, Willems worked at a Belgian insurance firm, and put the disk into a work computer. Bizarrely, it presented a questionnaire, the answers of which told the user whether or not they were in danger of contracting HIV/AIDS. Willems completed the quiz, and didn't think much more of it.
But a few days later his computer locked itself down and demanded he sent $189 to a PO Box in Panama. The printer even churned out an invoice.
"Shit, I have to pay," Willems, who is now a security evangelist at cybersecurity company G Data, thought.
Willems, and potentially thousands of other people who mysteriously received the disk around the world, had just witnessed what is believed to be the first ever case of ransomware: malware which renders a victim's computer unusable until the victim coughs up a hefty fee. We may think of ransomware as a modern invention, but the basic, and quite brilliant, idea at the heart of it was conceived over two decades ago.
"While the conception is ingenious and extremely devious, the actual programming is quite untidy," a Virus Bulletin analysis from 1990 reads.
In the UK, whoever was behind what was dubbed the AIDS ransomware sent their disk to subscribers of PC Business World magazine. In short, AIDS surreptitiously modified files on the victim's hard-drive, and when the machine had been rebooted a number of times, the malware locked the computer and presented a message requesting payment for "leasing" the software, according to the analysis.
"You are advised to stop using this computer. The software lease has expired. Important: Renew the software lease before you use this computer again," a README file created by the malware read.
The AIDS ransomware didn't actually encrypt the contents of files—only their names—so restoring the computer to a usable state was pretty straight forward, albeit laborious.
"Restoration can be quite simply achieved once the extension and filename encryption tables are known," the Virus Bulletin analysis reads. Jim Bates, the author of the report, also offered two programs to remove the ransomware—free of charge. Indeed. Willems also figured out how to remove the software from his own machine.
Shortly after, Willems turned on the TV, and saw he wasn't the only one who had received the disk. Investigators later identified Dr. Joseph Popp as being behind the AIDS campaign.
But ransomware was now a reality.
Years later, in around 2005 and 2006, hackers developed other examples of ransomware, such as Gpcode, Krotten, and Cryzip, malware researcher Vesselin Bontchev told Motherboard in an email. The recent era of ransomware started with Cryptolocker in 2013, and cybercriminals made the substantial shift to using bitcoin, allowing payments while hackers maintained a high degree of anonymity.
Today, the AIDS disk is a sought after piece of information security memorabilia, and Willem hangs his copy on the wall. As for how the AIDS ransomware affected Willems, he was already fairly interested in computer viruses, but this was the catapult that started his career.
"It changed my life, completely," Willems told Motherboard. And what would Willems want to tell Popp, apart from saying you showed what was possible?
"Thank you," Willems said.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.