Hackers are using a new piece of ransomware to target GitHub, GitLab, and Bitbucket repositories, wiping code and commiting, and leaving a ransom note.
The hackers wipe out all commit history and leave just a single commit named ‘WARNING’ that contains a single file:
“Within the past few hours, we detected and blocked an attempt — from a suspicious IP address — to log in with your Atlassian account. We believe that someone used a list of login details stolen from third-party services in an attempt to access multiple accounts.”
Experts believe the ransomware is targeting poorly secured repositories and doesn’t seem to exploit specific vulnerabilities in Git repositories.
The victims reported that the ransom note includes a reference to gitsbackup[dot]com, crooks are demanding about $560 worth of Bitcoin.
“I was working on a project and suddenly all the commits disappeared and were replaced with a single text file.” Stefan Gabos that was using SourceTree (3.1.3) , wrote on Stackexchange.
“To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin[at]gitsbackup[dot]com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.” reads the note.
At the time of writing, it is not clear how the hackers get access to the repositories. At least one of the victims confirmed to have had 2FA enabled for his account and never received notification of ongoing brute-force attack from the platform.
A quick search for the attackers’ Bitcoin address on BitcoinAbuse shows it has tens of reports (31 at the time of writing). The first report of abuse has been filed on May 2, the good news is none of the victims have paid the ransom.
GitHub, and Bitbucket haven’t yet issued any statements regarding the attacks, below the GitLab ‘s statement received by BleepingComputer;
“We identified the source based on a support ticket filed by Stefan Gabos yesterday, and immediately began investigating the issue. We have identified affected user accounts and all of those users have been notified. As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository. We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.