UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber security

GigaWiper Windows Backdoor Ransomware Wiper: 2026 Guide

London · Servnet News Desk · IT infrastructure analysis3 min read
Share

Microsoft has disclosed GigaWiper, a Golang-based Windows backdoor that bundles disk-wiping, unrecoverable ransomware-style encryption and data theft into one modular tool. For UK infrastructure teams, the priority now is auditing backup immutability and air-gapped DR copies before an attacker gets the chance to test them.

GigaWiper: from first attacks to public disclosure
W0W7W14W21W28W35W40First attacks spotted4wThreat-hunting & sample30wMicrosoft public…6wTotal: 40 weeks end-to-end
View the data behind this chart
GigaWiper: from first attacks to public disclosure
PhaseStarts (week)Duration (weeks)
First attacks spotted04
Threat-hunting & sample430
Microsoft public disclosure346

What Microsoft found

According to Microsoft Threat Intelligence, GigaWiper first appeared in attacks spotted last October and was disclosed publicly in a Thursday blog post. Analysts uncovered two variants: a standalone disk wiper that overwrites raw disk content and strips partition metadata before forcing an immediate reboot, and a fuller backdoor that adds persistence, command-and-control over RabbitMQ (AMQP) with Redis for status updates, and a menu of destructive commands operators can trigger at will.

Microsoft describes the tool as combining code from at least three prior malware families: Crucio ransomware, a Go reimplementation of FlockWiper, and a standalone disk wiper, all folded into a single modular package. The vendor would not tell The Register how many organisations have been affected or where.

Why bundling wiper and ransomware code matters

Historically, wipers destroy and ransomware extorts — they're built by different logic and rarely share a codebase. Microsoft's own assessment calls the consolidation into one backdoor a "notable shift", because it gives an intruder options: encrypt for leverage, wipe for pure damage, or do both in the same intrusion, often without warning which path they'll choose until it's too late.

One command is particularly punishing: it uses randomly generated keys that are never saved anywhere, meaning even a victim willing to pay has no route to decryption. Another command disables Windows recovery and forces a blue-screen crash that leaves machines unable to boot at all. For a UK operator, that means the usual crisis-response assumption — 'we can negotiate or restore' — cannot be relied upon.

The backup audit this forces onto your desk

If files can be destroyed with no possibility of recovery from the attacker's side, your entire resilience posture rests on backups the intruder cannot also reach or corrupt. GigaWiper's disk-level wiping and event-log clearing show these actors expect to operate with a long window inside a network before triggering the destructive payload — long enough to also find and disable poorly isolated backup infrastructure.

This is the moment to review your backup and disaster recovery strategies against a simple test: could an attacker with domain admin rights delete, encrypt, or overwrite your recovery copies alongside production data? Teams that haven't recently walked through how to understand immutable backup mechanisms — write-once storage, retention locks, and separation of backup credentials from production identity — should treat this disclosure as the trigger to do so.

Illustration: GigaWiper Windows Backdoor Ransomware Wiper: 2026 Guide

Air-gapping and DR testing, not just backup existence

Having backups isn't the same as having backups that survive a GigaWiper-style intrusion. The malware's C2 architecture over RabbitMQ and Redis, plus its bulk AES-256 CBC file encryption and MinIO-based exfiltration command, point to attackers capable of methodical, extended reconnaissance before detonation. UK infrastructure buyers should prioritise designing immutable backup architectures that combine offline or air-gapped copies with regular, verified restore testing — not annual box-ticking, but proof that a full environment can be rebuilt from a known-good point.

Where downtime cost hasn't been quantified recently, it's worth using a tool to calculate the potential cost of downtime to justify the investment case for tighter DR testing cadences to the board.

Detection matters as much as recovery

GigaWiper's screen recording, keyboard/mouse takeover, PowerShell execution and system reconnaissance functions suggest a tool built for prolonged, hands-on-keyboard operation rather than a smash-and-grab. That argues for layered detection alongside backup resilience: organisations should strengthen your ransomware protection controls, adopt zero trust segmentation to limit lateral movement toward backup infrastructure, and ensure managed detection & response coverage extends to command-and-control patterns like unusual RabbitMQ or Redis traffic on the network.

Share
Key takeaways
  • GigaWiper merges disk-wiping, unrecoverable encryption and data theft into one Windows backdoor, first seen last October and disclosed by Microsoft on Thursday.
  • One encryption command uses keys that are never saved, meaning paying a ransom will not restore files — recovery depends entirely on your own backups.
  • UK infrastructure teams should urgently verify backup immutability and air-gapped DR copies are truly isolated from production credentials and networks.
  • Detection of C2 traffic (RabbitMQ/AMQP, Redis) and lateral movement matters as much as backup resilience, given the malware's extended reconnaissance capabilities.
Frequently asked

FAQs — GigaWiper Windows Backdoor Ransomware Wiper

What is GigaWiper?

GigaWiper is a Golang-based Windows backdoor identified by Microsoft that combines disk-wiping, unrecoverable file encryption and data theft functions in a single modular tool, first spotted in attacks last October.

Can files encrypted by GigaWiper be decrypted?

No — one of its destructive commands, based largely on Crucio ransomware, uses randomly generated encryption keys that are never saved, so decryption is not possible even if a ransom is paid.

How does GigaWiper communicate with attackers?

The fuller backdoor variant uses RabbitMQ over AMQP to receive commands and Redis to update command status and output, alongside PowerShell execution and remote keyboard/mouse control.

What should UK organisations do now?

Prioritise auditing backup immutability and air-gapped DR copies, test full-environment restores, and ensure detection covers unusual C2 and lateral-movement traffic.

Related

Turning this into a buying decision?

One conversation with an engineer who's specced this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111