Hackers are using a new piece of ransomware to target GitHub, GitLab, and Bitbucket repositories, wiping code and commiting, and leaving a ransom note.
The hackers wipe out all commit history and leave just a single commit named ‘WARNING’ that contains a single file:
“Within the past few hours, we detected and blocked an attempt — from a suspicious IP address — to log in with your Atlassian account. We believe that someone used a list of login details stolen from third-party services in an attempt to access multiple accounts.”
Experts believe the ransomware is targeting poorly secured repositories and doesn’t seem to exploit specific vulnerabilities in Git repositories.
The victims reported that the ransom note includes a reference to gitsbackup[dot]com, crooks are demanding about $560 worth of Bitcoin.
“I was working on a project and suddenly all the commits disappeared and were replaced with a single text file.” Stefan Gabos that was using SourceTree (3.1.3) , wrote on Stackexchange.
“To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin[at]gitsbackup[dot]com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.” reads the note.
At the time of writing, it is not clear how the hackers get access to the repositories. At least one of the victims confirmed to have had 2FA enabled for his account and never received notification of ongoing brute-force attack from the platform.
A quick search for the attackers’ Bitcoin address on BitcoinAbuse shows it has tens of reports (31 at the time of writing). The first report of abuse has been filed on May 2, the good news is none of the victims have paid the ransom.
GitHub, and Bitbucket haven’t yet issued any statements regarding the attacks, below the GitLab ‘s statement received by BleepingComputer;
“We identified the source based on a support ticket filed by Stefan Gabos yesterday, and immediately began investigating the issue. We have identified affected user accounts and all of those users have been notified. As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository. We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue.”