Stryker confirms destructive cyberattack as Handala-linked incident disrupts global operations
5 min. read 
Published on
Stryker has confirmed that a March 11 cyberattack caused a global disruption to its Microsoft environment, affecting internal systems used across the company. The medical technology giant says it activated its incident response plan immediately, engaged external cybersecurity experts, and is still working to restore key business systems.
The company has not publicly confirmed that tens of thousands of devices were wiped. What Stryker has confirmed is a major cyberattack with broad operational impact, including disruption to ordering, manufacturing, shipping, and internal communications. Handala has claimed responsibility, and outside researchers have linked the actor to destructive operations associated with Iran-linked activity, but some of the larger public claims about device wipe counts and data theft remain unverified by Stryker itself.
Stryker has also said it has “no indication of ransomware or malware” and believes the incident is contained. That wording matters because it suggests the company has not publicly classified the event as a conventional ransomware attack, even though security researchers tracking Handala have described the group as one that uses destructive wiping techniques.
What Stryker has confirmed
In its March 11 SEC filing, Stryker said it identified a cybersecurity incident affecting certain information technology systems that caused a global disruption to its Microsoft environment. The company said it launched an internal investigation with external support to assess and contain the threat, and warned that the incident could continue to disrupt operations until recovery is complete.
In customer updates published after the filing, Stryker said it was prioritizing restoration of customer-facing ordering and shipping systems first. It also said there was no timeline yet for full recovery, though it described core transactional systems as being on a path to recovery.
The company also stressed that its medical products remain safe to use. Stryker said connected or clinical platforms such as LIFEPAK, Mako, SurgiCount, Vocera Ease, Vocera Edge, and care.ai were unaffected because they either are not connected in the same way or run on separate infrastructure.
What is still not confirmed
Handala and some outside reports have claimed very large-scale destruction, including wipes affecting more than 200,000 devices and the theft of tens of terabytes of data. Stryker has not confirmed those figures in its SEC filing or customer updates. Reuters also reported the group’s claims, but noted that they had not been independently verified.
Reports from Arctic Wolf and Unit 42 point to possible misuse of Microsoft Intune and destructive wipe activity in Handala-linked incidents, but Stryker itself has not publicly said Intune was the initial cause or confirmed the exact wipe mechanism used in its environment.
So the strongest accurate framing is this: Stryker has confirmed a serious cyberattack with major business disruption, while researchers and the threat actor itself claim the operation involved destructive wiping. The exact device count and full scope of data loss remain publicly unconfirmed by Stryker.
Why researchers believe this was a destructive operation
Check Point says Handala Hack, also tracked as Void Manticore, is an Iranian threat actor linked to Iran’s Ministry of Intelligence and Security. Its recent campaigns have used RDP, tunneling tools such as NetBird, custom wiping tools, and manual destructive actions to damage victim environments.
Unit 42 separately warned of an increased risk of Handala-linked wiper attacks and said recent destructive operations reportedly involved phishing and abuse of administrative access through Microsoft Intune. That aligns with the pattern seen in public reporting around the Stryker case, though again, Stryker has not itself confirmed the detailed kill chain.
Operational impact on Stryker
The company told customers that the attack disrupted order processing, manufacturing, and shipping. Reuters separately reported that Stryker’s shares fell after the incident became public and noted that the company had no immediate timeline for full restoration.
Stryker employs about 56,000 people and operates in 61 countries, so even a disruption limited to its internal Microsoft environment can create major downstream effects across support, logistics, and corporate operations.
Key details at a glance
| Item | What is confirmed |
|---|---|
| Incident date | March 11, 2026 |
| Confirmed by Stryker | Yes |
| Environment affected | Global Microsoft environment |
| Ransomware confirmed | No |
| Malware confirmed by Stryker | No indication publicly stated |
| Operational disruption | Yes, including orders, manufacturing, shipping |
| Medical product safety | Stryker says products remain safe to use |
| Exact number of wiped devices | Not confirmed by Stryker |
FAQ
Not directly in those words. Stryker confirmed a cyberattack and major disruption, but it publicly said it had no indication of ransomware or malware. Researchers tracking Handala say the group uses destructive wiping tactics.
No. That scale of damage has appeared in threat actor claims and external reporting, but Stryker has not publicly confirmed a device wipe count.
Stryker says its medical products remain safe to use and that several named platforms were unaffected.
Handala claimed responsibility. Check Point and Unit 42 link Handala to Iran-linked destructive cyber activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages