Git ransom campaign incident report

Since literally everybody who has cloned a repo has a full copy of it, and since git is a decentralized revision control system, what on earth can it mean to hold a repo for ransom? The write up even says so: to recover, just push your code back up to our repo.<p>I really don&#x27;t understand what they are talking about. It&#x27;s as if someone showed me a photo of my child and said, &quot;pay me or I&#x27;ll burn this photograph&quot;.<p>What am I missing?

Is it common that companies share intelligence like this? I think it&#x27;s a wonderful idea, given they all operate on essentially the same service (git) they share similar security concerns.

Seems like no one fell for this though. <a href="https:&#x2F;&#x2F;www.blockchain.com&#x2F;btc&#x2F;address&#x2F;1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA" rel="nofollow">https:&#x2F;&#x2F;www.blockchain.com&#x2F;btc&#x2F;address&#x2F;1ES14c7qLb5CYhLMUekct...</a>

Repo&#x27;s with remaining ransom file: <a href="https:&#x2F;&#x2F;github.com&#x2F;search?q=1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA&amp;type=Code" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;search?q=1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9...</a>

&quot;All of this has happened before, and it will all happen again.&quot; - Peter Pan movie, Battlestar Galactica, and should be every security incident report ever.<p>Not saying they shouldn&#x27;t have issued their analysis, of course they should have, it mostly looks on target. But...it will all happen again.

1. Stop using &#x27;git add .&#x27; This is a bad habit I see people keep suggesting to new git users. Stop recommending it and stop doing it.<p>2. Never store your password in .git&#x2F;config. Why are you doing that? That shouldn&#x27;t be stored in .git&#x2F;config.

How does one withdraw bitcoin to fiat or even use it without it being traceable? Are there laundering or anonymizing services for bitcoin withdrawals to fiat?

2FA is great for the web UI, but none of these vendors make it particularly easy to enforce 2FA on the command line.

&gt; <i>Otherwise, you can still clone the repository and make use of: git reflog or git fsck to find your last commit and change the HEAD.</i><p>I don&#x27;t understand: when I clone a repo, I get a copy of all the branches&#x2F;tags and the commits they point to &amp; the trees&#x2F;blobs from those commits. If the repo is wiped, I get a single master branch with a single commit with a single tree and a single blob, and no reflog because that is local to the repo, and I (as a fresh cloner) haven&#x27;t updated any refs.<p>Perhaps they are thinking about a mirror clone? That still won&#x27;t include the reflog, but you can at least find dangling commits and guess which one was master.

I didn&#x27;t see it mentioned in the article, but did any of the 3 companies confirm that the repos have been actually cloned as the attackers suggest?

I just have to say, props to Gitlab for being included in this. For a lot of enterprises that use Github and Bitbucket, this may be their first into to Gitlab.