A hacker is wiping Git repositories and asking for a ransom

Hundreds of developers have had had Git source code repositories wiped and replaced with a ransom demand.

The attacks started earlier today, appear to be coordinated across Git hosting services (GitHub, Bitbucket, GitLab), and it is still unclear how they are happening.

What it is known is that the hacker removes all source code and recent commits from vitcims' Git repositories, and leaves a ransom note behind that asks for a payment of 0.1 Bitcoin (~$570).

The hacker claims all source code has been downloaded and stored on one of their servers, and gives the victim ten days to pay the ransom; otherwise, they'll make the code public.

To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at [email protected] with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise. 

Payment is requested at the ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA Bitcoin address , which, at the time of writing, has not received any funds.

Hundreds of victims and counting

A GitHub search reveals that at least 392 GitHub repositories have been ransomed, so far.

According to BitcoinAbuse.com, a website that tracks Bitcoin addresses used for suspicious activity, there have been 27 abuse reports for this address today, when it was first indexed in the site's database. All abuse reports include the same ransom note, suggesting the Bitcoin address is being used in a coordinated attack aimed at Git accounts.

Some users who fell victim to this hacker have admitted to using weak passwords for their GitHub, GitLab, and Bitbucket accounts, and forgetting to remove access tokens for old apps they haven't used for months --both of which are very common ways in which online accounts usually get compromised.

Several users also tried to pin the issue on the hacker using an exploit in SourceTree, a Git GUI app for Mac and Windows made by Atlassian; however, there is no evidence to support this theory, for the time being.

A way to recover

The good news is that after digging through a victim's case, members of the StackExchange Security forum have found that the hacker does not actually delete, but merele alters Git commit headers, meaning code commits can be recovered, in some cases.

Instructions on how to recover mangled Git repositories are available on this page .

On Twitter, several important figures in the developer community are currently urging victims to contact the support teams at GitHub, GitLab, or Bitbucket before paying any ransom demand, as there could be other ways to recover deleted repos.