We’ve seen recent reports of unpatched, publicly accessible GitLab instances having Git repository data encrypted by a ransomware attack.
Indicators of compromise associated with this may include:
- Users unable to clone or push any projects
- errors when trying to view repositories in the UI
- suspicious files in the Git repo directories on the server (eg. files ending in
.lockedor.html)
If you find that data has been encrypted by a ransomware attack, industry-standard best practice is to:
- follow your organizations’ security incident response and disaster recovery plan
- restore to last known working backup (one taken before ransomware attack)
To help mitigate the threat of abuse and attacks moving forward:
- Restrict access to the GitLab instance/server at the network layer
- Patch the instance immediately after restoring from backup
- Plan an upgrade to the latest GitLab version as soon as possible
- Subscribe to security alerts via email in the GitLab Communication Preference Center or subscribe to our Security Releases RSS feed and adopt a plan to upgrade after every security release
- Take regular backups of GitLab data
- Review this list of suggestions and best practices for securing a compromised server