Internet Insecurity

Someone Is Hacking GitHub Repositories and Holding Code Ransom

Hackers are trying a novel approach to extort developers of some money.

by Lorenzo Franceschi-Bicchierai
May 6 2019, 5:21pm

Image: Cathryn Virginia/Motherboard

Hackers are breaking into private code repositories, wiping them, and asking their owners for a ransom to restore their projects.

Ransomware, a type of attack where hackers infect computers, encrypt their content, and ask for money in exchange for a decryption key that will restore their data, has been around for decades. This new attack is a little different, but it’s unclear how successful it will be since one victim has claimed to have found a way to recover their code without paying the ransom.

The hackers are breaking into code repositories hosted on GitHub, one of the world’s largest software development platforms, and BitBucket, a similar service owned by Atlassian. GitHub did not immediately respond to a request for comment.

Do you know anything about this incident? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

On Thursday, a Reddit user wrote a post warning about the attack, saying his repository got hacked and his code removed. The intruder left a message:

“To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) [around $570] to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin@gitsbackup.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.”

Jeremy Galloway, a security researcher at Atlassian, which owns BitBucket, told Motherboard in an online chat that the company has seen a lot of users’ repositories getting hit by these hackers. Galloway said he estimates the victims to be at least 1,000, based on internal numbers and online reports. That seems to be a good estimate considering that a search on GitHub for the hackers’ address returns 392 projects, as first reported by ZDnet.

At this point, it’s unclear how the hackers are breaking into all these accounts. Galloway told Motherboard that Atlassian is investigating the incidents to try to figure that out.

Despite the hundreds of victims, for now, the hackers are not making a lot of money. The hackers’ Bitcoin wallet, for now, has only received one payment of around $2.99 in Bitcoin.

The hackers did not respond to a request for comment sent to the email they’re providing victims.

If your project has been hit, there’s some good news. One victim claims to have figured out that the hackers aren’t actually deleting the code, and shared a relatively easy way to recover the files, as long as the victim has a clone of the code on their machine.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.

This article originally appeared on VICE US.