Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects newly created GitHub repositories with suspicious naming patterns that may indicate a ransom notice.

Strategy

This rule monitors GitHub audit logs for repository creation events where the event is repo.create.

Triage & Response

• Examine the newly created repository {{@github.repository}} to determine whether it contains legitimate backup data or potential attacker content.
• Review the repository contents and commit history to understand when the repository was generated and what content exists.
• Check for any corresponding repository downloads, deletions, or modifications that occurred around the same time as the backup creation.
• Determine if the repository naming pattern matches known ransomware indicators and assess for potential compromise.