Ransomware Actors Blackmailing Hundreds of Git Repositories & Demanding BitCoin

By Bill Toulas / May 4, 2019

Programmers who are using the Git system for their code projects are reporting an alarming rise in ransomware attacks that wipe their repositories clean. Correct that to 'almost empty', as all that they find in the repos after the attack is a ransom note demanding the payment of 0.1 Bitcoin, the equivalent of $570. The ransomware actors are not only bullying the programmers but also threatening to make the code public once ten days go by. In many cases, this would be catastrophic for the programmers, as they may have been working on a project that concerns proprietary code for years.

The actors are using a Bitcoin address which has not received any funds yet, while is already associating it with 27 individual abuse reports. However, the number of GitHub users who are reporting to have been ransomed is just shy of 400, while more victims are to be found in the GitLab, Sourcetree, Bitbucket, and other similar platforms as well. In most cases, the targeted repositories seemed to be poorly protected, not using 2FA, sitting behind a weak password, or maintaining access tokens for old apps. Thus, these incidents are not thought to be connected with any security incident directly related to the platforms in question.

Many of the programmers who have fallen victim to this ransomware campaign have their code stored locally as well, but the trouble of having it leaked is now a reality. However, there’s a number of people who haven’t kept a backup, so understandably, they freaked out when they realized that all of their commits were gone. The good news for this category is that their code is not completely gone, as the actors simply alter the Git commit headers making it appear as if it all has been deleted, but it’s not.

As we pointed out, whatever happens from now on, and no matter how many pay the ransom or not, there’s a good amount of valuable code that has found its way to malicious servers - closed-source proprietary code that belongs to companies and possibly took years of effort and large quantities of resources to develop. The crooks will likely evaluate what they got and will use it 'appropriately' in the future. Paying the ransom to get the Git code back doesn’t mean anything, as the malicious actors will almost definitely keep a copy of the code on their servers anyway.

Have any comments to make on the above? Feel free to leave them down below, or on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari