In December 1989, thousands of individuals received an unexpected package: a floppy disk labelled “AIDS Information Introductory Diskette.” This seemingly benign disk would later be recognised as the vehicle for the world’s first ransomware attack, marking the dawn of a new era in cybersecurity threats, malware evolution, and data security vulnerabilities.

The Man Behind the Malware

Dr Joseph Popp, an evolutionary biologist with a doctorate from Harvard, orchestrated this unprecedented attack. His plan involved distributing 20,000 floppy disks to attendees of the World Health Organisation’s AIDS conference and subscribers of PC Business World magazine.

The disk purported to contain valuable information about AIDS, but hidden within was a malicious program that lay dormant until the computer had been booted 90 times. When it activated, the malware encrypted filenames on the user’s C: drive, rendering the system unusable. A message would then appear, demanding a payment of $189 to a PO Box in Panama for the restoration of access. This was an early example of social engineering tactics used to trick victims into paying ransom.

A New Breed of Threat

This incident introduced the world to a novel and alarming concept: holding digital assets hostage for ransom. Unlike previous computer viruses that aimed to destroy data or demonstrate technical prowess, this attack had a clear financial motive. It highlighted the potential for cybercriminals to exploit individuals’ reliance on technology and data security for monetary gain.

The attack was rudimentary by today’s standards, but it laid the foundation for a new type of cybercrime—one that has since evolved into a billion-pound industry. Today, ransomware-as-a-service (RaaS) enables hacker groups to use advanced encryption techniques, dark web marketplaces, and cryptocurrency payments to extort victims on a global scale. Many modern ransomware gangs use phishing emails, zero-day exploits, and supply chain attacks to infiltrate systems before deploying their payload.

The Aftermath

Dr Popp’s actions led to his arrest and subsequent detention in Brixton Prison. However, his erratic behaviour during the trial resulted in him being declared mentally unfit to stand trial, and he was eventually returned to the United States. The attack, while limited in scope compared to modern ransomware campaigns, served as a wake-up call for the cybersecurity community. It underscored the necessity for robust security measures, the rise of endpoint protection, and the importance of user awareness training in preventing such attacks. Today, businesses deploy next-generation firewalls (NGFWs) and zero-trust security models to defend against similar threats.

Looking Back: A Digital Pandora’s Box

The “AIDS Information Introductory Diskette” was, in many ways, a sign of things to come. At the time, cybersecurity awareness was an afterthought for most people—an abstract concern in an era when computers were still finding their place in homes and businesses. No one could have imagined that this simple floppy disk would plant the seeds for a cybercrime industry that would one day bring global corporations to their knees.

Ransomware has evolved beyond recognition, but its core principle remains unchanged: exploiting trust and leveraging fear for financial gain. Looking back, there’s almost something quaint about Popp’s method—no dark web marketplaces, no cryptocurrency, just a mail-in ransom demand to a Panamanian PO Box. Compared to today’s highly organised ransomware gangs, it feels almost analogue, a relic from a time when the digital world still had an air of innocence.

Yet, the lessons from that first attack remain just as relevant today. Cybersecurity is no longer optional. The digital frontier is no longer new or uncharted—it is a battlefield, one where vigilance, education, and preparation make all the difference. Organisations must invest in advanced threat detection, incident response plans, and security awareness training to mitigate the risk of ransomware attacks.

One floppy disk in 1989 was enough to open Pandora’s box. And more than three decades later, we’re still trying to close it.

How prepared are you for a ransomware attack?

👉 Schedule a free cyber clinic with ITogether and we will help you identify and close any vulnerabilities, book your session here.

References

1. KnowBe4: https://www.knowbe4.com/aids-trojan
2. WatchGuard Technologies: https://www.watchguard.com/wgrd-ransomware/aids-trojan
3. Wikipedia: https://en.wikipedia.org/wiki/AIDS_%28Trojan_horse%29
4. SDxCentral: https://www.sdxcentral.com/security/definitions/what-is-ransomware/case-study-aids-trojan-ransomware/
5. Flashpoint.io: https://flashpoint.io/blog/the-history-and-evolution-of-ransomware-attacks/