Get all your news in one place.
100's of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Microsoft discovers new multi-malware package 'GigaWiper' capable of deploying wipers and ransomware

Hacker hands at work with interface around.
  • Microsoft warns of “GigaWiper,” a destructive malware attributed to Iranian group CyberAv3ngers that combines multiple variants into one
  • It can wipe drives, encrypt files with a fake ransomware extension, or overwrite Windows partitions, while also spying via screenshots, VNC sessions, and system data theft
  • The malware hides under fake OneDrive tasks and registry keys, showing both espionage and sabotage capabilities with no recovery path for victims’ data

Microsoft is warning about a new piece of malware called GigaWiper, which can spy on people’s computers and then destroy them entirely, in different ways.

It was built by mashing different malware variants into one, and it seems to be the work of Iranian state-sponsored threat actors called CyberAv3ngers. The hackers also took a little cheeky dig at Microsoft, through the malware’s obfuscation mechanism.

As Microsoft explained, GigaWiper can overwrite the physical drive and wipe the partition table, destroying the contents of the disk directly. It can also encrypt all files on the drive, add a .candy extension, and change the desktop wallpaper to show a warning. This ransomware approach does not share a ransom note, and does not generate a decryption key, so there is nothing to pay, and no way to decrypt the files - they are gone for good, just giving victims false hope.

Spying on the victims

Finally, the third method goes straight for the Windows drive, overwriting it multiple times with different data patterns.

Besides bricking the disk, GigaWiper can also spy on its victims by grabbing screenshots, recording the screen, or opening a VNC session to either stream someone else’s work, or allow the attackers to use the mouse and keyboard. The malware can also extract system data, manage programs and services, modify the registry, and more.

But the cheekiest feature is how it hides. It schedules a task called OneDrive Update and tracks itself in a registry key called OneDrive\Environment. Perhaps the attackers assumed no one really pays attention to OneDrive, and thus the malware could stay out of sight for longer.

Speaking of the attackers, Microsoft does not name them, but most of the components mashed together to form GigaWiper were previously attributed to CyberAv3ngers, a group linked to Iran's Islamic Revolutionary Guard Corps.

Sign up to read this article
Read news from 100's of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.