Git hosting services like GitHub, Bitbucket, and GitLab are under ransom attack where hundreds of Git source code repositories have been wiped out and replaced with a ransom demand by attackers.
The mysterious hackers have launched a coordinated attack across multiple Git repository platforms. It is unclear how this level of attack took place, but a ransom note left behind asks for a payment of 0.1 Bitcoin (around $570) in exchange for releasing the codes.
What we know right now is that the attack started yesterday. The hackers removed all source code and recent commits from victims’ Git repositories and left the ransom notes behind.
The note also says that all source code has been downloaded and saved on one of their servers. Victims of the Git ransom attack have ten days to pay the ransom, otherwise, the hackers will make the code public or use it as they see fit.
The payment of ransom is requested at this Bitcoin address: ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA. So far, only one transaction has been registered at this address showing a total of 0.00052525 BTC received.
The victim count is increasing
The number of Git ransom attacks on multiple platforms appears to be increasing. Conducting a GitHub search reveals that at least 387 GitHub repos have been compromised so far.
Although a few users who fell victim to this attack admitted to using weak passwords in their GitHub, GitLab, and Bitbucket accounts. Some even forgot to remove access tokens for old, unused apps. Both are common ways through which accounts get compromised online.
So this is proof that the hackers did extensive scanning of the internet to fins Git config files, extracted credentials, and used them to access Git accounts.
The silver lining
Amidst this mess, the good news is that folks from the StackExchange Security forum have found that the hackers don’t really delete the codes. They simply alter the Git commit headers, this means code commits can be recovered, in some cases, if not all.
There are instructions on how to recover the hijacked Git repositories on this page. Just in case, you are one of the victims, we’d advise you to contact the support teams at your Git hosting service before paying any ransom demand, as there could still be other ways to recover the deleted Git repos.