YYaaa News

Microsoft names GigaWiper — the "ransomware" that never keeps a decryption key, purpose-built to wipe

TL;DR

Microsoft discloses "GigaWiper," a destructive backdoor that wipes disks, overwrites system drives, and fakes ransomware — but never keeps decryption keys. Espionage cover.

Microsoft's security team has disclosed a destructive backdoor called GigaWiper. Microsoft calls it "extremely severe" — the operator's intent is destruction, not payment. Microsoft's analysis pins the underlying goal on espionage cover.

Three technical capabilities: full-disk wipe, system-drive overwrite, and a fake-ransomware routine that encrypts user files. The critical detail: the operator never keeps the decryption keys. The design borrows the shell of ransomware as a disguise; the real payload is a pure wiper, structurally identical to NotPetya in 2017 — but with the "pretend to want money" veneer, buying time on victim response and steering incident-response resources in the wrong direction.

The mutation point here is the divorce of motive from mechanics. Ransomware's business model is encrypt → extort → decrypt; the key is the product. GigaWiper throws the key away, effectively admitting it never planned to collect. This shape now sits firmly in the toolkits of nation-state threat actors — Iran, North Korea, and Russia's APTs have all used similar patterns over the last five years. NotPetya was Russian GRU against Ukraine; Shamoon was Iran against Saudi Aramco.

Microsoft has not published a CVE or attribution, and did not share victim counts. The value of the disclosure is naming — once the community can label wiper-as-ransomware as its own category, signatures, YARA rules, and attribution work can follow.

Enterprise action: check for unexplained encryption processes on critical servers with no ransom note, verify offline backup storage, and add "fake ransomware" as a scenario in incident-response runbooks.

via Landian News
微軟曝 GigaWiper 破壞性後門|偽裝勒索但根本不留解密密鑰,純為擦盤而生