AIDS Trojan (1989): the first ransomware in history

In 1989, personal computers were isolated tools, without permanent connections to global networks and with an almost naïve level of trust in anything that arrived via physical media. Computer security was barely a concern, and the idea that someone might hijack access to a computer in order to demand money was, quite simply, unthinkable. That same year, however, an episode took place that over time would become the origin of one of the most devastating models of digital extortion in history: the first documented ransomware.

A floppy disk that seemed harmless

It all began with a postal mailing. Thousands of doctors, researchers, and healthcare professionals received a floppy disk at their offices and homes, accompanied by an explanatory letter. The contents promised to be informative and educational: a program with data about AIDS, a disease that at the time was the focus of enormous media and scientific attention.

The name of the software, AIDS Information Introductory Diskette, raised no suspicion. In an era when exchanging software by mail was common practice, no one saw any reason to distrust it. The disk was inserted, the program installed, and the computer continued to function normally.
For a while.

Who was behind the program

The author of the software was Joseph L. Popp, a biologist with a PhD from Harvard University and professional experience in projects related to AIDS research. He was not a fringe profile or a habitual criminal, but someone with academic training and knowledge of the environment he was targeting.

Popp did not present himself as an attacker. On the contrary, his message was carefully wrapped in a legal and administrative appearance. He spoke of usage licenses, formal payments, and a supposed company called PC Cyborg Corporation. His goal was not to destroy or steal information, but to condition access to it.

The idea was simple, yet radical for its time: if you control access to a system, you can charge money to restore it.

The moment everything stops

After a certain number of computer reboots, the program activated its true function. The user suddenly faced an unusable system. Files appeared to have disappeared, and the computer ceased to be operational.

A clear and seemingly reasonable message appeared on screen. The software license had expired and needed to be regularized. To recover access, a payment of 189 dollars was requested, to be sent by postal mail to a post office box in Panama.

There were no explicit threats or aggressive language. There was no mention of a ransom, only a renewal. The tone was almost bureaucratic, which made the message even more unsettling.
Without realizing it, those users were experiencing the first case of digital extortion based on system unavailability.

An experiment that did not turn out as expected

Joseph Popp’s plan did not work in the long term. Specialists and analysts began to investigate the program’s behavior and discovered that, although access to the system was blocked, the data had not been destroyed. Over time, tools were developed that allowed the computer’s functionality to be restored without paying.

The economic impact of the attack was limited, and the operation failed as a business model. However, the idea had been released into the world and would never disappear.
For the first time, someone had demonstrated that it was possible to use a computer as a hostage.

Arrest, trial, and silence

When authorities identified Joseph Popp as responsible for the attack, he was arrested in the United Kingdom. The judicial process never reached a clear resolution. Popp displayed erratic behavior and was declared unfit to stand trial, so the case was closed without a firm conviction.

There was no deep public reflection or coordinated response. The episode was relegated to a historical curiosity, a strange anecdote in the early years of personal computing. That silence would, over time, prove especially significant.

The true legacy of the AIDS Trojan

The AIDS Trojan was not particularly sophisticated, nor did it cause massive damage. It did not collapse hospitals or paralyze critical infrastructure. However, it introduced a concept that remains at the core of modern ransomware: blocking access to a system and demanding payment to restore it.

In 1989, the idea was limited by the technology of the time. There were no anonymous digital payments, no global connectivity, and no ability to scale attacks massively. Even so, the conceptual model was already complete.

Decades later, that same approach has been refined and amplified to become one of the primary threats to companies, public administrations, and essential services.

A lesson that remains relevant

The birth of ransomware was not the result of a major technical innovation, but of a very simple observation: the more we depend on technology, the more vulnerable we are to losing access to it.
The AIDS Trojan ransomware was the first warning. It went almost unnoticed, but it made clear that digital extortion did not need to destroy anything to be effective. It was enough to deny access.
Thirty-five years later, ransomware continues to exploit exactly the same weakness. The only thing that has changed is the scale.