Ransomware - AIDS Trojan

AIDS Trojan
AIDS Virus
AIDS Info Disk
PC Cyborg
Decryptor Available

The AIDS Trojan, or PC Cyborg, is commonly referred to as the first-ever ransomware. Because of this, Dr. Joseph Popp, the author of the AIDS Trojan, is known as "the father of ransomware." Appearing in December of 1989, Popp's ransomware differed from modern ransomware in many ways. Most obviously, it was "deployed" as a floppy disk and sent by postal mail from a London location. Once inserted into a system, the floppy disk hijacks AUTOEXE.BAT and alters it to count the number of reboots of the system. Once the counter reached 90, the program would prompt the user to renew a license to continue using the system. A technical analysis by Jim Bates in the 1990 January issue of Virus Bulletin revealed that the program, written in QUICKBASIC 3.0, also encrypted file names (not the files themselves), hid directories, and dropped a ransom note (the license renewal). Bates quickly created a removal tool to remove the AIDS Trojan called AIDSOUT and a program that allowed victims to retrieve hidden directories called AIDSCLEAR. With the help of his colleague, John Sutcliffe, they deciphered the encryption algorithm (a simple, symmetric, substitution cipher) and created the first-ever ransomware decryptor called CLEARAID.

Dr. Joseph Popp was born in Ohio and was a Harvard-educated biologist who did a lot of work in Kenya. This is where part of the program - a survey on the susceptibility to contracting the AIDS virus - is believed to have been developed. Further tests of the AIDS Trojan were discovered in Geneva at the World Health Organization (WHO) headquarters. The floppy disks themselves, around 20,000 in total, were sent out to a reported 90 countries by postal mail from London to people who were subscribed to the same science-related magazines and members of the WHO. The ransom note demanded victims send $189 for one year of the license, or $378 for lifetime access, to a P.O. Box in Panama. This amounts to around $400 and $800, respectively, today. No one is reported to have ever paid the extortion except for investigators to see what would happen. Popp was quickly arrested for his crime, although he never faced prison. It is believed that Popp sent out floppy disks in the United Kingdom because they didn't have computer misuse laws, and this was noticed quickly because Popp's actions were the impetus for the Computer Misuse Act of 1990. Based on all of the known knowledge of the incident, it could be said that the first ransomware had connections to the United States, Kenya, Switzerland, Panama, and the United Kingdom.

Ransom note pictures derived from KnowBe4 and Wikipedia

Ransomware Type
Country of Origin
United Kingdom
First Seen
Last Seen
Extortion Types
Direct Extortion
Extortion Amounts
Postal Mail
Substitution cipher on file name
File Extension
<substitution cipher file name>.[ XX]
Ransom Note Name
Samples (SHA-256)
Industry Sector Country Extortion Date Amount (USD)
Insurance Belgium $189
Education Italy $189
Healthcare & Medicine Italy $189
Healthcare & Medicine Sweden $189
Banking & Finance United Kingdom $189
Education United Kingdom $189
Government United Kingdom $189
Healthcare & Medicine United Kingdom $189
BIOSCI/Bionet: AIDS Trojan final update
OpenSea: Virus.DOS.Aids
The Centre for Computing History: Press Cuttings on the AIDS Trojan Attack, 1989
The Ransomware Hunting Team: Pages 17-42
University of St Andrews Research Repository: The theory and implementation of a secure system
Virus Bulletin: January 1990
Virus Bulletin: February 1990
Virus Bulletin: March 1990
Virus Bulletin: May 1990
Virus Bulletin: January 1991
Virus Bulletin: March 1991
Virus Bulletin: April 1991
Virus Bulletin: June 1991
Virus Bulletin: January 1992
Virus Bulletin: January 1993
Virus Bulletin: February 1993
Virus Bulletin: May 1993
Virus Bulletin: November 1993
Virus Bulletin: December 1993
Virus Bulletin: January 1994
Virus Bulletin: October 2000
Virus Bulletin: January 2001