A ransom note you can pay is bad news. A ransom screen that was never meant to be paid is worse, because it means the attacker already decided your files are not coming back. That is the design choice at the center of GigaWiper, a Windows backdoor that Microsoft detailed on July 10, 2026. It encrypts files, renames them with a .candy extension, and throws up an alarming wallpaper, but it keeps no decryption key and leaves no note. The extortion theater is a costume. Underneath it sits a disk wiper.
Microsoft dissected the sample and dates the destructive activity to October 2025. Binary Defense reported the same code under the name BLUERABBIT after seeing samples in March 2026, and the two teams matched command servers, so the two names describe one operation. Binary Defense assessed it as likely Iran-nexus activity aimed at Israeli organizations. Microsoft did not name a country, but tied the fake-ransomware component to CyberAv3ngers, a group it has previously linked to Iran. Treat attribution as the researchers phrased it, not as settled fact.
The ransom screen is misdirection, not a demand
Here is the part that changes how you respond. Real ransomware keeps a key somewhere, because the operator wants to sell it back to you. GigaWiper's Crucio routine encrypts with random keys it never retains and writes no note, so there is no one to pay and nothing to decrypt. Microsoft describes the files as unrecoverable by design. If your first read of a .candy wallpaper is to start a negotiation, you have already lost hours you needed for something else.
This is the same trap we wrote about with the first AI-run ransomware that locked a database with a key it never saved. When the key is gone, the incident is not an extortion case. It is a destruction case wearing an extortion mask, and the clock you are on is a recovery clock. The practitioner move is to classify by evidence, not by the wallpaper: no note plus no key means treat it as a wiper and move straight to restore and hunt.
Three destructive tools welded into one Go implant
What makes GigaWiper notable is consolidation. Instead of a single-purpose wiper, it merges three known families into one modular Go backdoor with a command set numbered one through twenty. The destructive commands cover a raw physical disk wipe that also clears the partition table, a blue-screen trigger that deletes critical system files, the fake-ransomware routine, and a multi-pass overwrite of the Windows drive. The espionage commands add screenshots, screen recording, a hidden remote-desktop session, and system, process, and registry control.
| Component | Role inside GigaWiper | Where it came from |
|---|---|---|
| Crucio | Fake ransomware. Encrypts files to a .candy extension and swaps the wallpaper for a warning image, but keeps no key and drops no ransom note. | Documented by CISA in December 2023; Microsoft traces the code to the group it tracks as CyberAv3ngers. |
| FlockWiper | Multi-pass secure wipe that overwrites data with zeros, then 0xFF, then random bytes. | Seen as a standalone C-based wiper in June 2025. |
| Raw disk wiper | Overwrites the physical drive and the partition table, then forces a reboot into a machine that no longer boots. | Original to GigaWiper. |
The families were not written for this backdoor. Crucio is the fake-ransomware code CISA documented in December 2023. FlockWiper appeared as a standalone C-based wiper in June 2025. The raw disk wiper is original. Bundling them into one implant means a single foothold now carries everything from quiet surveillance to irreversible destruction, and flipping from one to the other is a command, not a new intrusion. The old assumption that you have days between the break-in and the damage does not hold against an actor whose goal is to break things.
Why your network sensors see nothing worth flagging
GigaWiper does not phone home to an obvious malware panel. It uses ordinary business infrastructure as its control plane: RabbitMQ, a message queue, to broadcast and target commands, Redis, an in-memory data store, to collect results, and MinIO, an object-storage service, to move data out. It even parks its persistence behind a scheduled task called OneDrive Update that runs every minute and at startup, with a matching fake OneDrive registry key.
That choice is deliberate camouflage, and it is the same idea behind the crews now hiding command traffic inside Microsoft Teams relays. On a network where those services run legitimately, and plenty do, a queue or cache protocol on the wire is not an anomaly by itself. The anomaly is the source. A user's desktop speaking the message-queue protocol, or a workstation talking to Redis, is what should page you, not the protocol in the abstract. Detection here has to know which asset is allowed to do what, not just which ports are open.
The signals that catch it on the host, before the wipe
Because the samples rotate and the two research teams already gave the same code two names, chasing hashes is the losing game. The durable tells are behavioral, and they show up on the endpoint while the operator is still setting up, not after the disk is gone. Microsoft calls out a short list worth turning into hunts tonight:
- A scheduled task named
OneDrive Updatethat runs every minute and at startup. The real OneDrive updater does not behave that way. RabbitMQorRedistraffic originating from user workstations rather than servers.takeownoricaclstaking ownership of Windows boot files such asbootmgrandntoskrnl.exeoutside a maintenance window.- Windows Security event logs cleared, and cleared more than once in quick succession.
That last one is also a reason to get logs off the box. GigaWiper deletes the Security event log as part of its cleanup, so anything you were counting on to reconstruct the intrusion is gone if it only ever lived on the host. Shipping logs to a managed log pipeline means the record survives the wipe. Turning these tells into standing detections is the job of a managed threat-hunting practice, and having a rehearsed incident-response plan for destructive intent is what turns a keyless ransom screen from a panic into a procedure.
Read a keyless ransom screen as a wiper
The single most useful habit to take from GigaWiper is a classification rule. When you see encrypted files with no ransom note and no recoverable key, stop treating it as ransomware and start treating it as destruction. That decision reorders everything after it: you isolate to preserve evidence, you pull backups forward, and you hunt the four host signals above across the rest of the fleet, because a wiper operator who reached one machine usually reached more. The fake ransom note wants you to waste the window. Do not give it to them.