Attackers delete GitHub, GitLab, and Bitbucket repositories and replace with ransom notes

• A GitHub search revealed almost 400 Github repositories that have been targeted in this manner.
• According to BitcoinAbuse.com, there have been 27 abuse reports and all the abuse reports include the same ransom note.

What is the issue?

Attackers have targeted GitHub, GitLab, and Bitbucket users by replacing the code and commits from the victims’ Git repositories and leaving a ransom note that demands a ransom payment of 0.1 Bitcoin (~$570).

Why it matters?

The ransom note threatens victims to make the code public if they do not pay the ransom amount within 10 days.

“To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin@gitsbackup.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we don't receive your payment in the next 10 Days, we will make your code public or use them otherwise,” the ransom note read.

How many repositories targeted?

• A GitHub search revealed almost 400 Github repositories that have been targeted.
• According to BitcoinAbuse.com, there have been 27 abuse reports and all the abuse reports include the same ransom note.
• Meanwhile, the attackers’ bitcoin address has received a single transaction of 0.00052525 BTC ($2.99) on May 3, 2019.

What is the response so far?

Kathy Wang, Director of Security at GitLab, said that they conducted an investigation and found out that compromised accounts have passwords being stored in plaintext on the deployment of a related repository. Wang also said that they have identified the affected user accounts and are notifying them.

“We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue,” Wang said.

Meanwhile, in a security advisory, Bitbucket noted that “a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository.”

Bitbucket has taken the following steps to prevent further malicious activity:

• It has reset passwords for the compromised accounts.
• It is working closely with the law enforcement authorities and has taken steps to restore the compromised repositories.
• It has requested its users to reset all other passwords associated with the Bitbucket account and to enable two-factor authentication on the Bitbucket account.