Pirate wipes Git deposits and demands ransom

Hundreds of developers have had Git source code repositories removed and replaced with a ransom request.

The attacks that started earlier in the day seem to be coordinated between the Git hosting services (GitHub, Bitbucket, GitLab) and the way they unfold remains unclear.

What we do know is that the hacker removes all the source code and recent commits Git repositories of vitcims, and leaves a ransom note that requires a payment of 0.1 Bitcoin (about $ 570).

The hacker claims that all the source code has been downloaded and stored on one of its servers and gives the victim ten days to pay the ransom. otherwise, they will make the code public.

To recover your lost code and avoid any leaks: send us 0.1 Bitcoin (BTC) to our Bitcoin address ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by email at [email protected] with your Git ID and proof of payment. If you do not know if we have your data, contact us and we will send you a proof. Your code is downloaded and saved on our servers. If we do not receive your payment within the next 10 days, we will return your code or otherwise use it.

Payment is requested at the address Bitcoin ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA, which, at the time of writing this report, has received no funds.

Hundreds of victims and count

A search on GitHub reveals that at least 392 GitHub deposits have been redeemed until now.

According to BitcoinAbuse.com, a website that lists Bitcoin addresses used for suspicious activity, there have been 27 reports of abuse for this address today, when it was indexed for the first time. times in the site database. All reports of abuse include the same ransom note, suggesting that the Bitcoin address is used in a coordinated attack targeting Git accounts.

Some victim users of this hacker admitted to using weak passwords for their GitHub, GitLab and Bitbucket accounts, forgetting to remove the access tokens from old apps that they did not have. used for months – two very common methods in which online accounts are generally compromised.

Several users have also attempted to pose the problem to the hacker using an exploit in SourceTree, a Git for Mac and Windows GUI created by Atlassian. however, there is no evidence to support this theory, for the moment.

A way to recover

The good news is that after investigating the case of a victim, members of the StackExchange security forum found that the hacker does not actually delete, but that Merele modifies the Git validation headers, which means that code validations can be retrieved, in some cases.

Instructions on how to recover mutilated Git repositories are available on this page.

Associated Malware and Cybercrime Coverage: