Stryker Confirms Destructive Wiper Attack – Tens of Thousands of Devices Wiped

On March 11, 2026, Stryker Corporation, a major player in medical technology, confirmed that it had been hit by a major cyberattack that disrupted its global Microsoft environment This article explores affected stryker microsoft. . Handala, a threat actor linked to Iran, claimed responsibility for what looks like a politically motivated, destructive operation.

The attack on Stryker doesn't look like a typical financially motivated intrusion; it looks more like a destructive wiper campaign. Stryker repeatedly told customers in updates that there was "no indication of ransomware or malware." This led investigators to believe that the company was trying to destroy data on purpose instead of extorting it. Learn more Retainers for incident response Systems for managing patches Software that protects against viruses Handala said that they had wiped thousands of servers and endpoint devices, such as Windows laptops and smartphones, and at the same time, they said they had stolen 50 terabytes of important business data.

Researchers in open-source intelligence and cybersecurity at Arctic Wolf said that the attackers probably used Microsoft Intune, Stryker's mobile device management platform, to send mass factory reset or wipe commands to enrolled corporate endpoints around the world. Employees said they could see their devices being wiped in real time, and some login pages had Handala's logo on them. Stryker's corporate offices in several countries were evacuated, and employees were told to disconnect from all company networks and not turn on any company-issued devices.

Handala claims to be a pro-Iran hacktivist group, but researchers at Palo Alto Networks' Unit 42 have found that it is linked to the Iranian Ministry of Intelligence and Security (MOIS). This means that it is a state-backed threat actor rather than an independent hacktivist group.

The group said that the Stryker attack was revenge for a U.S. military strike on a school in Minab, Iran, which Iranian state media said killed at least 168 children. Handala called the operation "the start of a new era in cyber warfare." Disruptions from the Stryker Cyberattack The attack made Stryker's order processing, manufacturing, and global shipping operations very difficult.

The company, which made $25.1 billion in sales in 2025 and has about 56,000 employees in 61 countries, sent an 8-K report to the U.S. Securities and Exchange Commission and said it has no plans to fully restore its systems at this time. Stryker's stock fell more than 3% right after the news broke.

Stryker also made sure that all of its medical products, including connected and life-saving devices, are still safe to use. It was confirmed that devices like LIFEPAK defibrillators, Mako robotic surgical systems, SurgiCount and Triton apps, Vocera Edge, Vocera Ease, and the care.ai platform were not affected. Find out more about ethical hacking tools.

Malware for Software Testing Cloud-hosted platforms like Vocera Ease on AWS and care.ai on Google Cloud Platform work on infrastructure that is not affected by Stryker's Microsoft corporate environment. SurgiCount works only in a separate, dedicated cloud environment that doesn't connect to Stryker's internal Microsoft systems. As soon as Stryker found out about the incident, it put its incident response plan into action. It worked with U.S. law enforcement and government agencies and brought in outside cybersecurity experts.

The company is focusing on fixing the ordering and shipping systems that customers use first. As of the most recent update, the core transactional systems are clearly on the road to recovery, and the restoration of the systems is moving forward steadily., LinkedIn, and X for daily updates on cybersecurity. Get in touch with us to have your stories published.