An attack on Github, Bitbucket, and GitLab repos late last week saw hundreds of accounts compromised, and entire repositories deleted to be replaced with a ransom note.
The note read: "To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at email@example.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we don't receive your payment in the next 10 Days, we will make your code public or use them otherwise."
The attack has affected at least 315 Github accounts alone, from Github search results, although the ransom results may not be as good as the hacker hoped - the BTC address shows a distinct lack of payments - 0.1 bitcoin is about £450. The address has also been flagged repeatedly on Bitcoin Abuse.
There could be a good reason for this, as Chris Doman, security researcher from AT&T Alien Labs pointed out to SC Media UK: "It depends upon the implementation - but normally victims should be able to recover their files if they contact support. It looks like so far the attackers haven't found a mark willing to pay the ransom, though some joker has sent them US$ 3.00!"
Dean Ferrando, systems engineer at Tripwire told SC Media UK that preparation is key: "The trend of asking a ransom for the decryption of files encrypted by a malware exists because it’s effective. The best way to counteract this type of attacks is to prepare for them, ensuring that vulnerabilities are addressed in a timely manner and that backups are frequent and tested. Both organisations and private individuals should ensure that their files are securely backed up and stored in an offline location, where they can’t be accessed in the eventuality of an attack.
Ultimately, the more victims refuse to pay the ransom, the less ransomware attempts there will be."
Github issued a warning, along with some general account security tips:
"The source IP of the attacks came from the 126.96.36.199/24 range."https://t.co/fzoE557Cym— Bad Packets Report (@bad_packets) May 4, 2019
This noted that "The attacker appeared to use some type of "update script" in an attempt to perform the accesses, and the nature of the individual accesses strongly suggested the use of plaintext passwords that were locally stored. Since not all of the accesses resulted in both a repository wipe and a ransom note, this suggests that the attacker’s update script was possibly not working properly. None of the accounts impacted had two-factor authentication enabled. This could be a result of a generic script being used against GitLab as well as GitHub and Bitbucket."
An extensive StackExchange discussion has revealed a host of theories and potential methods to retrieve data, in addition to contacting Github, Bitbucket, and GitLab support.