Ransomware Protection Playbook. Roger A. Grimes
Читать онлайн книгу.
and understood what the trojan program did, you could convert everything back to the original file and folder names and locations. Several individuals figured this out and wrote “fix-it” programs, including early computer virus expert Jim Bates.
Bates created a free 40-page analysis report of the trojan that he would send to anyone who requested it, and he published a shorter, but still great, analysis in the premier antivirus journal Virus Bulletin (https://www.virusbulletin.com/uploads/pdf/magazine/1990/199001.pdf.) in January 1990. Bates revealed the many dubious routines of the program including the multiple steps it took to fake what the user saw when investigating. It was a great example of the antivirus and online community coming together to defeat a common foe without thinking about profit.
The PC Cyborg ransomware encryption routine used what cryptographers called simple character substitution for the encryption component. This is the absolute simplest type of encryption possible, and because of that, it's probably more accurate to call Dr. Popp's encryption routine obfuscation instead. It certainly wasn't anything close to as secure as how most digital encryption had been accomplished on computers for at least a decade before Dr. Popp's program, and much less sophisticated compared to encryption in today's ransomware variants. But the point is mostly semantic. To most victims, their data was gone and their computers were unusable.
Along with his detailed analysis, Bates created a free trojan removal program called AIDSOUT and a free AIDSCLEAR program that would restore any renamed and moved files to their original locations and names. The late John McAfee, of McAfee Antivirus fame, gained some early national media attention in the United States by talking about the ransomware program and by saying he went around rescuing people's locked-up PCs.
It was the publicity surrounding John McAfee's computer virus recoveries during that time that led this author to disassembling DOS computer viruses for John McAfee later that year and largely led to the author's lifetime career in cybersecurity.
After the antivirus industry and law enforcement determined that Dr. Popp was involved, he was arrested on a warrant while at Amsterdam's Schiphol Airport and eventually imprisoned in London. During the arrest it was immediately noted that he was having some mental health issues. Even before the arrest, he had apparently scribbled strange messages on another passenger's luggage, indicating that he, Dr. Popp, was in the luggage. He did many other unusual antics during this period of time, including wearing a condom on his nose and wearing curlers in his beard “to ward off radiation.” To this day no one knows if he was really having mental health issues or just faking being insane to avoid being found guilty. Either way, he was originally arrested or detained in the Netherlands and sent back to his parents in Ohio in the United States at some point. He was then re-arrested on many crimes including blackmail and extradited back to the United Kingdom for trial.
Where the various arrests happened are swapped in some news stories, but it appears he was arrested or detained in two or three different countries at some point and faced some sort of adjudication in at least two of those countries. His final release came from a UK court.
Dr. Popp's original defense was to claim that everything he did was legal because he warned users, and they were the ones not paying for what they were legally obligated to pay. Some lawyers thought he may have a valid legal point even though it was unusual and unethical. Part of Dr. Popp's original defense fell apart because his program would also state that if users took his ransom program to another computer and allowed it to lock up that computer, that the program would then unlock the original computer so it could be used. This part of the program did not work, either intentionally or unintentionally, and both the original and additional PC would not be operational.
It's unclear if Dr. Popp ever got paid or sent a single unlock disk or if that unlock disk worked. I don't know of anyone who paid the ransom, and none of the victims in the dozens of old news stories claim to have paid the ransom or received an unlock disk from Dr. Popp. I think Dr. Popp was quickly on the run to avoid being arrested when his program started to make the news worldwide. It is doubtful that he had time to pick up his payments in Panama and send out unlock disks, and it is certainly true that he did not do this at scale. Every news story surrounding the PC Cyborg trojan starred victims whose PCs were locked up.
Dr. Popp claimed in court proceedings and to investigators that he planned to donate all the ransom money to AIDS research. That claim would be unlikely to persuade any court and would not result in the dismissal of any pending charges. Although it must be noted that Dr. Popp really did belong to several AIDS research groups that were raising money for research, and he was involved in several AIDS educational conferences and programs. In any case, one or more judges ruled that he was unfit to stand trial, and by November 1991 he was released back to his parents a free man by UK Judge Geoffrey Rivlin.
He faded back into relative obscurity and turned his interest back toward human anthropology. His infamous actions, which had both directly attacked and unfairly maligned AIDS researchers around the world, precluded his continued involvement in that field.
A decade later, in September 2001, he released a fairly controversial book called Popular Evolution Life Lessons (https://www.amazon.com/Popular-Evolution-Life-Lessons-Joseph-Popp/dp/0970125577), which contained many unconventional recommendations, including an aggressive focus on procreation, even by young females who had just obtained puberty. He strongly promoted “scientific ethics,” which stand diametrically opposed to by most moral codes and ethics that the rest of us follow. Perhaps his belief in his own form of unconventional ethics played a part in his creating the first ransomware program. He was also for eugenics and euthanasia. He didn't believe in anyone having a pet. He pretty much offended almost anyone who lived a conventional life. Suffice to say, his book of recommendations was not a best seller and did nothing to diminish how strange he was seen by others even as he was pursuing other careers.
Sometimes even an eccentric man can be a gentle man and beloved by others. Just before he died in 2007, “Dr. Joe” funded The Joseph L. Popp, Jr. Butterfly Conservatory in upstate Oneonta, New York. They have their own Facebook page (https://www.facebook.com/Joseph-L-Popp-Jr-Butterfly-Conservatory-119385884741701/). The butterfly operation was still in business at least until the 2020 COVID-19 shutdowns, but the main website domain is now up for sale and there aren't any Trip Advisor reviews after early January 2020 (https://www.tripadvisor.com/Attraction_Review-g48333-d1755655-Reviews-Joseph_L_Popp_Jr_Butterfly_Conservatory-Oneonta_New_York.html). Some of the early reviews indicated things were looking a bit rundown and ragged before the COVID crunch, so maybe it has had its final opening.
In his life, Dr. Popp had a few different careers, including evolutionary biologist, author, anthropologist, and butterfly lover. But his likely biggest unwanted claim to fame, something he could not escape the rest of his life, was as the father of ransomware. There are still nearly as many stories on him today as the creator of ransomware, in 2021, as there were back in 1990 when his creation was creating digital havoc. His place in history far outlived his own life.
More information and stories on Dr. Popp and his PC Cyborg program can be found at the following resources:
https://en.wikipedia.org/wiki/AIDS_%28Trojan_horse%29
https://www.vice.com/en/article/nzpwe7/the-worlds-first-ransomware-came-on-a-floppy-disk-in-1989
https://www.sdxcentral.com/security/definitions/case-study-aids-trojan-ransomware/