[ppierald]

I am definitely not an expert in these areas and I'm sure someone 100x smarter than I am has thought of this and discounted it already, but is there any ability to decompile the executable provided to Colonial and get to patterns of source code, then compel github to search their repositories for any patterns of that code? Not sure if that is even legal or whether a judge would authorize that fishing expedition, but it's an interesting thought exercise (in my head) assuming the code is even in GH.

[dehrmann]

> then compel github to search their repositories for any patterns of that code

Assuming we're talking private repos, compelling Github to do that is a pretty blatant fourth amendment violation unless there's a specific set of suspected repos.

[mrastro]

It's unlikely their code is hosted on GitHub because the hackers wouldn't want to leave such an obvious trace there.

I think you're right that unless there is evidence code is hosted there, the judge wouldn't authorize a "fishing" exercise to search random sources for the code. In a hypothetical, what would this even give? The IP addresses of the authors? They are likely running through a proxy anyways so it wouldn't help. The private key? It might have been generated server-side or using an algorithm outside the code so might not help.

What I'm saying is getting the code source might not even be helpful depending on how it was implemented and if only the client code can be found.

[axiosgunnar]

are you assuming the ransomware is collaboratively coded on github?

[Mountain_Skies]

The authors of the ransomware might have non-ransomware projects on github where an analysis of coding style gives them away. It's sounds like it would have a low probability of working but this is essentially what got the Unabomber caught. But writing styles in English might be easier to identify than in code. Maybe they'll use "cool headed logician" as a procedure name.