Git is a distributed version control system that allows developers to track changes in source code during software development. Many services host Git for developers like GitHub, GitLab and so on. The news is that in a coordinated attack to these hosting services, attackers have removed all source code and recent commit.
Git repositories wiped out & ransomed
It has happened with hundreds of developers, and hackers have left a note asking for for a payment of 0.1 Bitcoin. Once the payment is made, the hackers will re-upload all the source code. They have downloaded and stored in their servers, and the devs have ten days to pay, else the code will be made public. Here is the complete message:
To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at firstname.lastname@example.org with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.
How did it happen?
Its not about a weak password. The hacker has scanned for Git config files and collected all the passwords. He then used it to log in to Git hosting services and ransom the accounts.
.git/config includes the remote URLs. Devs added username:password in it which should never be the case. It is without a doubt they should have used SSH, deploy keys or authenticate on each pull.
You can still recover without paying
According to Stefan Gabos@StackExchange, the code is not gone and is still there. When he tried accessing a commit’s has, it worked. The attacker has made a commit, and you can check that by executing the command
git checkout origin/master.
In the same thread, Peter made a comment which makes it possible to get the complete code back. Here is what he says:
You get your local repository to look like you want it to be, then simply
git push origin HEAD:master --force. You may have to unprotect the master branch to allow the forced push. It does not matter which branch you have checked out locally, or if you are detached. It will just forcefully make origin/master whatever your current HEAD is
Also, there is a live discussion going on at this thread if you want to ask some questions.