Home/ Blog/ Security news/ Article
Blog · Security news

GigaWiper fakes a ransomware hit to cover a disk wipe, and the only early warning is on the host

GigaWiper encrypts files to .candy with no key and no ransom note, because the ransomware is a decoy for a disk wipe. Here are the host signals that catch it.

Stage curtain drawn aside revealing a fractured disk platter behind it

A ransom note you can pay is bad news. A ransom screen that was never meant to be paid is worse, because it means the attacker already decided your files are not coming back. That is the design choice at the center of GigaWiper, a Windows backdoor that Microsoft detailed on July 10, 2026. It encrypts files, renames them with a .candy extension, and throws up an alarming wallpaper, but it keeps no decryption key and leaves no note. The extortion theater is a costume. Underneath it sits a disk wiper.

Microsoft dissected the sample and dates the destructive activity to October 2025. Binary Defense reported the same code under the name BLUERABBIT after seeing samples in March 2026, and the two teams matched command servers, so the two names describe one operation. Binary Defense assessed it as likely Iran-nexus activity aimed at Israeli organizations. Microsoft did not name a country, but tied the fake-ransomware component to CyberAv3ngers, a group it has previously linked to Iran. Treat attribution as the researchers phrased it, not as settled fact.

The ransom screen is misdirection, not a demand

Here is the part that changes how you respond. Real ransomware keeps a key somewhere, because the operator wants to sell it back to you. GigaWiper's Crucio routine encrypts with random keys it never retains and writes no note, so there is no one to pay and nothing to decrypt. Microsoft describes the files as unrecoverable by design. If your first read of a .candy wallpaper is to start a negotiation, you have already lost hours you needed for something else.

This is the same trap we wrote about with the first AI-run ransomware that locked a database with a key it never saved. When the key is gone, the incident is not an extortion case. It is a destruction case wearing an extortion mask, and the clock you are on is a recovery clock. The practitioner move is to classify by evidence, not by the wallpaper: no note plus no key means treat it as a wiper and move straight to restore and hunt.

Three destructive tools welded into one Go implant

What makes GigaWiper notable is consolidation. Instead of a single-purpose wiper, it merges three known families into one modular Go backdoor with a command set numbered one through twenty. The destructive commands cover a raw physical disk wipe that also clears the partition table, a blue-screen trigger that deletes critical system files, the fake-ransomware routine, and a multi-pass overwrite of the Windows drive. The espionage commands add screenshots, screen recording, a hidden remote-desktop session, and system, process, and registry control.

ComponentRole inside GigaWiperWhere it came from
CrucioFake ransomware. Encrypts files to a .candy extension and swaps the wallpaper for a warning image, but keeps no key and drops no ransom note.Documented by CISA in December 2023; Microsoft traces the code to the group it tracks as CyberAv3ngers.
FlockWiperMulti-pass secure wipe that overwrites data with zeros, then 0xFF, then random bytes.Seen as a standalone C-based wiper in June 2025.
Raw disk wiperOverwrites the physical drive and the partition table, then forces a reboot into a machine that no longer boots.Original to GigaWiper.
Three destructive tools, one implant. Source: Microsoft threat report, July 2026.

The families were not written for this backdoor. Crucio is the fake-ransomware code CISA documented in December 2023. FlockWiper appeared as a standalone C-based wiper in June 2025. The raw disk wiper is original. Bundling them into one implant means a single foothold now carries everything from quiet surveillance to irreversible destruction, and flipping from one to the other is a command, not a new intrusion. The old assumption that you have days between the break-in and the damage does not hold against an actor whose goal is to break things.

Why your network sensors see nothing worth flagging

GigaWiper does not phone home to an obvious malware panel. It uses ordinary business infrastructure as its control plane: RabbitMQ, a message queue, to broadcast and target commands, Redis, an in-memory data store, to collect results, and MinIO, an object-storage service, to move data out. It even parks its persistence behind a scheduled task called OneDrive Update that runs every minute and at startup, with a matching fake OneDrive registry key.

That choice is deliberate camouflage, and it is the same idea behind the crews now hiding command traffic inside Microsoft Teams relays. On a network where those services run legitimately, and plenty do, a queue or cache protocol on the wire is not an anomaly by itself. The anomaly is the source. A user's desktop speaking the message-queue protocol, or a workstation talking to Redis, is what should page you, not the protocol in the abstract. Detection here has to know which asset is allowed to do what, not just which ports are open.

The signals that catch it on the host, before the wipe

Because the samples rotate and the two research teams already gave the same code two names, chasing hashes is the losing game. The durable tells are behavioral, and they show up on the endpoint while the operator is still setting up, not after the disk is gone. Microsoft calls out a short list worth turning into hunts tonight:

  • A scheduled task named OneDrive Update that runs every minute and at startup. The real OneDrive updater does not behave that way.
  • RabbitMQ or Redis traffic originating from user workstations rather than servers.
  • takeown or icacls taking ownership of Windows boot files such as bootmgr and ntoskrnl.exe outside a maintenance window.
  • Windows Security event logs cleared, and cleared more than once in quick succession.

That last one is also a reason to get logs off the box. GigaWiper deletes the Security event log as part of its cleanup, so anything you were counting on to reconstruct the intrusion is gone if it only ever lived on the host. Shipping logs to a managed log pipeline means the record survives the wipe. Turning these tells into standing detections is the job of a managed threat-hunting practice, and having a rehearsed incident-response plan for destructive intent is what turns a keyless ransom screen from a panic into a procedure.

Read a keyless ransom screen as a wiper

The single most useful habit to take from GigaWiper is a classification rule. When you see encrypted files with no ransom note and no recoverable key, stop treating it as ransomware and start treating it as destruction. That decision reorders everything after it: you isolate to preserve evidence, you pull backups forward, and you hunt the four host signals above across the rest of the fleet, because a wiper operator who reached one machine usually reached more. The fake ransom note wants you to waste the window. Do not give it to them.

Topics

Frequently asked questions

What is GigaWiper?

GigaWiper is a destructive Windows backdoor written in Go that Microsoft detailed on July 10, 2026.

It merges three malware families into one implant: a disk wiper, a fake ransomware routine, and spyware. Binary Defense reported the same code as BLUERABBIT.

Is GigaWiper actually ransomware?

No. GigaWiper encrypts files to a .candy extension but keeps no decryption key and leaves no ransom note.

Microsoft describes the files as unrecoverable by design, so the ransomware screen is cover for a disk wipe rather than a real demand for payment.

Who is behind GigaWiper?

Attribution is not fully settled. Binary Defense assessed the activity as likely Iran-nexus and aimed at Israeli organizations.

Microsoft did not name a country but linked the fake-ransomware component to a group it tracks as CyberAv3ngers, which it has previously associated with Iran.

How do defenders detect GigaWiper?

Watch host behavior rather than file hashes, which rotate. Microsoft flags a scheduled task named OneDrive Update that runs every minute, RabbitMQ or Redis traffic from user workstations, ownership changes on Windows boot files, and Security event logs cleared more than once.

Can files encrypted by GigaWiper be recovered?

Not by decryption. The fake ransomware routine uses random keys it never saves, so there is nothing to buy back and no note to negotiate against.

Recovery means restoring from backups you hold off the affected machine, which is why the incident is a destruction case, not an extortion one.

What should you do if you find a GigaWiper infection?

Treat it as a wiper, not ransomware. Isolate the host to preserve evidence, pull backups forward, and hunt the same host signals across the rest of the fleet.

A wiper operator who reached one machine has usually reached more, so scope before you rebuild.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.