Cybereason Blog | Cybersecurity News and Analysis

Malicious Life, episode 5: The Roots of Evil - episode review

Written by Eliad Kimhy | Aug 8, 2017 4:12:42 PM

On May 12 2017, one of the biggest global cyber security events ever witnessed shocked everyone from the tech-savvy to the tech ignorant. The WannaCry ransomware was set loose on the world. In over 150 countries, business people, doctors, bankers and technicians turned on their computers and were greeted with a red window, a white lock and the words "Ooops, your files have been encrypted!"

Ransomware is one of the most prominent examples of cybercrime today, but its beginnings are surprisingly humble.

In 1989, floppy disks were sent by mail to the homes of some 2,000 people, with a program called "AIDS Information Introductory Diskette Version 2.0." On its cover, was a short questionnaire concerning the risk of contracting AIDS. Behind the scenes, however, the disk was hiding a more malicious component.

A few days after installing the applications, users found that their files had disappeared, and would be greeted with the following message- "The software lease for this computer has EXPIRED. It is time to pay for your software lease from PC Cyborg Corporation. The price of a lease for the lifetime of your hard disk is US$378. Mail your order to PC Cyborg Corporation, P.O. Box 87-17-4tl Panama."

Reports of the ransomware began flooding police stations. Investigators were led on an odd and surprising chase for a man with an unconventional motive. They discovered that PC Cyborg was a straw company founded in Panama a few months earlier by three men: Kitain Mekonen, Asrat Wakjira and Fantu Mekesse. The addresses for their offices in Panama and in London were fictitious, nothing more than a mailbox.

The police officers and information security experts examining the case were confused. Were they facing an international, well-organized gang of sophisticated criminals? The straw company and method of extortion suggested great sophistication, and required a serious financial investment but, the ransomware was amateurish, and the phrasing of the license agreement was simply…weird.

Two weeks later, a breakthrough in the investigation occurred. At the Amsterdam airport, Dutch police detained a man that was acting suspicious. His name was Dr. Joseph Lewis Papp, a 39-year-old American expert on anthropology, conducting research on apes in Africa. He was on his way back from Africa to the US, but was displaying paranoid behavior-he complained to the police officers that someone was trying to kill him, and even scribbled on the luggage of another passenger- “Dr. Papp was poisoned.”

The officers discovered among Papp's belongings an ink stamp with the writing ‘PC Cyborg.’ They had found their culprit!

An investigation showed that in the years prior, Dr. Papp developed a special interest in the HIV epidemic, but shortly before returning to the US was fired from the World Health Organization. Papp was arrested and extradited to England to stand trial. The trial also revealed Papp’s motive-he claimed that the World Health Organization and African government were conspiring to prevent HIV information from reaching their citizens, since the lethal epidemic was an effective means to prevent population growth. His plan was to use the money earned by the ransomware in order to perform independent research and expose to the public the dangers of HIV.

Papp was a brilliant and calculated person, there was no question about it. For example, he made sure not to send the infected disks to users in the USA, so as not to stand trial there. But Papp’s conspiracy claims and his megalomaniacal plan only made the judges more certain that he was mentally ill. Furthermore, he would appear to court wearing cardboard boxes on his head and curlers in his beard, to protect himself against ‘lethal radiation.' Eventually, the prosecution agreed to acknowledge that Dr. Papp was a ‘public disgrace’ (a legal status allowing to finish the trial without a conviction). Papp was returned to the US where he spent the next few years in a mental hospital.

Listen to the latest episode of Malicious Life to hear more about this incredible story, the evolution of cryptography, and the history, present, and future of ransomware- https://malicious.life/episode/episode-5-the-roots-of-evil/