GigaWiper bundles disk wiping and fake ransomware into one Windows backdoor
Microsoft detailed GigaWiper, a destructive Windows backdoor that stitches several older malware families into one implant, letting operators choose how to destroy a machine. Its commands include a raw disk wiper that overwrites the drive and partition table, a multi-pass wiper for the Windows drive, and a fake-ransomware module that encrypts files with keys it never saves, so there is no recovery and no ransom note, only destruction disguised as extortion. It also offers remote access and log clearing. To hide, it poses as OneDrive through a scheduled task and routes command traffic over legitimate services like RabbitMQ and Redis. Because it runs after intrusion, offline backups are the real defense.
- Check
- Hunt for GigaWiper's signs, including a scheduled task posing as OneDrive Update, command traffic to RabbitMQ or Redis services you do not use, and unexpected changes to disk partitions or recovery settings.
- Affected
- Windows organizations an attacker has already breached; GigaWiper can destroy disks and files irreversibly while disguising the destruction as ransomware, and can also spy and maintain remote access before it strikes.
- Fix
- Keep tested, offline backups since wiped data cannot be decrypted, enable tamper protection and endpoint detection in block mode, monitor for suspicious scheduled tasks and disk operations, and restrict outbound traffic.