Microsoft has disclosed GigaWiper, a Golang-based Windows backdoor that bundles disk-wiping, unrecoverable ransomware-style encryption and data theft into one modular tool. For UK infrastructure teams, the priority now is auditing backup immutability and air-gapped DR copies before an attacker gets the chance to test them.
View the data behind this chart
| Phase | Starts (week) | Duration (weeks) |
|---|---|---|
| First attacks spotted | 0 | 4 |
| Threat-hunting & sample | 4 | 30 |
| Microsoft public disclosure | 34 | 6 |
What Microsoft found
According to Microsoft Threat Intelligence, GigaWiper first appeared in attacks spotted last October and was disclosed publicly in a Thursday blog post. Analysts uncovered two variants: a standalone disk wiper that overwrites raw disk content and strips partition metadata before forcing an immediate reboot, and a fuller backdoor that adds persistence, command-and-control over RabbitMQ (AMQP) with Redis for status updates, and a menu of destructive commands operators can trigger at will.
Microsoft describes the tool as combining code from at least three prior malware families: Crucio ransomware, a Go reimplementation of FlockWiper, and a standalone disk wiper, all folded into a single modular package. The vendor would not tell The Register how many organisations have been affected or where.
Why bundling wiper and ransomware code matters
Historically, wipers destroy and ransomware extorts — they're built by different logic and rarely share a codebase. Microsoft's own assessment calls the consolidation into one backdoor a "notable shift", because it gives an intruder options: encrypt for leverage, wipe for pure damage, or do both in the same intrusion, often without warning which path they'll choose until it's too late.
One command is particularly punishing: it uses randomly generated keys that are never saved anywhere, meaning even a victim willing to pay has no route to decryption. Another command disables Windows recovery and forces a blue-screen crash that leaves machines unable to boot at all. For a UK operator, that means the usual crisis-response assumption — 'we can negotiate or restore' — cannot be relied upon.
The backup audit this forces onto your desk
If files can be destroyed with no possibility of recovery from the attacker's side, your entire resilience posture rests on backups the intruder cannot also reach or corrupt. GigaWiper's disk-level wiping and event-log clearing show these actors expect to operate with a long window inside a network before triggering the destructive payload — long enough to also find and disable poorly isolated backup infrastructure.
This is the moment to review your backup and disaster recovery strategies against a simple test: could an attacker with domain admin rights delete, encrypt, or overwrite your recovery copies alongside production data? Teams that haven't recently walked through how to understand immutable backup mechanisms — write-once storage, retention locks, and separation of backup credentials from production identity — should treat this disclosure as the trigger to do so.

Air-gapping and DR testing, not just backup existence
Having backups isn't the same as having backups that survive a GigaWiper-style intrusion. The malware's C2 architecture over RabbitMQ and Redis, plus its bulk AES-256 CBC file encryption and MinIO-based exfiltration command, point to attackers capable of methodical, extended reconnaissance before detonation. UK infrastructure buyers should prioritise designing immutable backup architectures that combine offline or air-gapped copies with regular, verified restore testing — not annual box-ticking, but proof that a full environment can be rebuilt from a known-good point.
Where downtime cost hasn't been quantified recently, it's worth using a tool to calculate the potential cost of downtime to justify the investment case for tighter DR testing cadences to the board.
Detection matters as much as recovery
GigaWiper's screen recording, keyboard/mouse takeover, PowerShell execution and system reconnaissance functions suggest a tool built for prolonged, hands-on-keyboard operation rather than a smash-and-grab. That argues for layered detection alongside backup resilience: organisations should strengthen your ransomware protection controls, adopt zero trust segmentation to limit lateral movement toward backup infrastructure, and ensure managed detection & response coverage extends to command-and-control patterns like unusual RabbitMQ or Redis traffic on the network.
