Mystery Git ransomware appears to blank commits, demands Bitcoin to rescue code

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India

Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: The Register

Programmers say they’ve been hit by ransomware that seemingly wipes their Git repositories’ commits and replaces them with a ransom note demanding Bitcoin.

An unusual high number of developers have griped online about the effects of the software nasty, with at least two reports seen by El Regreferencing the freeware Sourcetree GUI for Git, made by Atlassian.

The repos affected are hosted across a number of platforms, from GitHub and GitLab to Bitbucket, so it’s likely the malware is targeting inadvertently poorly secured repositories rather than a particular vulnerability.

At the very least, ensure your repos are protected using multi-factor authentication, and do not leak any access tokens or passwords in your public configuration files.

“So I was done fixing a bug tonight,” posted one victim on Reddit this week.

“I was using sourcetree to push the changes, as soon as I clicked the commit button my laptop freezed (it usually freezes so im not sure if it was due to malware or the usual one) and i immediately restarted it by long pressing the power button.”

The netizen added that the ransom note they received referenced gitsbackup[dot]com, and demanded about $560 in crypto-currency to un-fsck the repo.

Another posted on Stack Exchange: “One of my repos was wiped today and just a message left in its place with a bitcoin ransom. I’ve no idea how they accessed my account, can’t really see anything on github security page.”

The user added: “I’m at a bit of a loss just now as what to do, 2 factor has been turned on in github, the main server where the code was used. I’ve removed unused scripts etc changed passwords, currently building a new server droplet and moving everything as a precaution in case the server was accessed.”

A third, Stefan Gabos, wrote on Stackexchange: “I was working on a project and suddenly all the commits disappeared and were replaced with a single text file.”

That file, consistently across all the posts seen by The Register, reads:

Gabos added that he was “using SourceTree but somehow I doubt that SourceTree is the issue, or that my system (Windows 10) was compromised. I’m not saying it’s not that, it’s just that I doubt it.” He told El Reg he is running the most recent version of Sourcetree (3.1.3), having updated today from the previous version. The changelog is here.

Gabos added on Stackexchange that his code does not appear to have gone altogether as accessing his commit’s hash had worked, concluding: “So the code is there but there’s something wrong with the HEAD.” He continued to note that git reflog “shows all my commits”, updating as he learned more in his quest to recover his commits. In an edit, he added:

Atlassian, maintainer of Sourcetree, had not responded to The Register‘s inquiries at the time of publication. See the updates on this post for instructions on how to recover your repos if they are wiped by the ransomware.

www.extremehacking.org

Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10,CHFI,ECSAv10,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India