Mystery Git ransomware appears to blank commits, demands Bitcoin to rescue code

Sudden flurry of forum posts leaves a few clues

Updated Programmers say they've been hit by ransomware that seemingly wipes their Git repositories' commits and replaces them with a ransom note demanding Bitcoin.

An unusual high number of developers have griped online about the effects of the software nasty, with at least two reports seen by El Reg referencing the freeware Sourcetree GUI for Git, made by Atlassian.

The repos affected are hosted across a number of platforms, from GitHub and GitLab to Bitbucket, so it's likely the malware is targeting inadvertently poorly secured repositories rather than a particular vulnerability.

At the very least, ensure your repos are protected using multi-factor authentication, and do not leak any access tokens or passwords in your public configuration files.

"So I was done fixing a bug tonight," posted one victim on Reddit this week.

"I was using sourcetree to push the changes, as soon as I clicked the commit button my laptop freezed (it usually freezes so im not sure if it was due to malware or the usual one) and i immediately restarted it by long pressing the power button."

The netizen added that the ransom note they received referenced gitsbackup[dot]com, and demanded about $560 in crypto-currency to un-fsck the repo.

Another posted on Stack Exchange: "One of my repos was wiped today and just a message left in its place with a bitcoin ransom. I've no idea how they accessed my account, can't really see anything on github security page."

The user added: "I'm at a bit of a loss just now as what to do, 2 factor has been turned on in github, the main server where the code was used. I've removed unused scripts etc changed passwords, currently building a new server droplet and moving everything as a precaution in case the server was accessed."

A third, Stefan Gabos, wrote on Stackexchange: "I was working on a project and suddenly all the commits disappeared and were replaced with a single text file."

That file, consistently across all the posts seen by The Register, reads:

To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin[at]gitsbackup[dot]com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.

Gabos added that he was "using SourceTree but somehow I doubt that SourceTree is the issue, or that my system (Windows 10) was compromised. I'm not saying it's not that, it's just that I doubt it." He told El Reg he is running the most recent version of Sourcetree (3.1.3), having updated today from the previous version. The changelog is here.

Gabos added on Stackexchange that his code does not appear to have gone altogether as accessing his commit's hash had worked, concluding: "So the code is there but there's something wrong with the HEAD." He continued to note that git reflog "shows all my commits", updating as he learned more in his quest to recover his commits. In an edit, he added:

What this means to me is that the attacker doesn't have the code and there's no threat of them going over the source code for sensitive data or of making the code public. It also means to me that is not a targeted attack but a random, bulk attack.

Atlassian, maintainer of Sourcetree, had not responded to The Register's inquiries at the time of publication. See the updates on this post for instructions on how to recover your repos if they are wiped by the ransomware. ®


Bitbucket Cloud, one of Atlassian's other projects, sent us this statement which it is also forwarding to its customers.

We are contacting you because your Bitbucket Cloud repository was recently accessed and deleted by an unauthorized third party.

We are in the process of restoring your repository and expect it to be restored within the next 24 hours.

We believe that this was part of a broader attack against several git hosting services, where repository contents were deleted and replaced with a note demanding the payment of ransom.

During this attack, a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository. We believe that these credentials may have been leaked through another service, as other git hosting services are experiencing a similar attack.

We have not detected any other compromise of Bitbucket.

We have proactively reset passwords for those compromised accounts to prevent further malicious activity. We will also work with law enforcement in any investigation that they pursue.

We encourage you and your team members to reset all other passwords associated with your Bitbucket account. In addition, we recommend enabling 2FA on your Bitbucket account.

If you have any questions or would like further assistance, please contact our support.

Github sent us this:

GitHub has been thoroughly investigating these reports, together with the security teams of other affected companies, and has found no evidence or its authentication systems have been compromised. At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures. We are working with the affected users to secure and restore their accounts. We encourage all developers and customers to use two-factor authentication and strong and unique login passwords as a standard practice.

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Did hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by regarding the facial-recognition technology it controversially built for Uncle Sam. made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading

Biting the hand that feeds IT © 1998–2022