I wrote about INC Ransom working through Australian healthcare for eighteen months roughly forty minutes ago. My keyboard hasn’t cooled down. And then Bleeping Computer drops the Stryker story and I genuinely had to put my coffee down and read it twice. Because this is a different category of attack and it should scare the hell out of anyone working in medical technology, healthcare systems procurement, or critical infrastructure.

Stryker. If you don’t know Stryker, they are one of the largest medical technology companies on the planet — surgical robotics, orthopedic implants, hospital beds, emergency medical equipment, endoscopy systems, neurovascular devices. The kind of company whose products are literally keeping people alive in operating rooms right now, at this exact moment, in hospitals around the world. And according to Bleeping Computer’s reporting on March 11, 2026, they have been taken offline by a wiper malware attack claimed by Handala — an Iranian-linked, pro-Palestinian hacktivist group.

Not ransomware. A wiper. Let that distinction land before we go any further, because it matters enormously for what this means and what Stryker can do about it.

What Happened — And Why “Wiper” Changes Everything

Per Bleeping Computer’s reporting on March 11, 2026, Stryker — a Fortune 500 medtech giant with operations in over 100 countries — has been taken offline following a wiper malware attack claimed by the Handala group. Handala is an Iranian-linked, pro-Palestinian hacktivist collective that has previously targeted Israeli and Israeli-affiliated organizations but has expanded its operations to companies perceived as connected to Israeli interests, US defense and technology sectors, and Western critical infrastructure more broadly.

The critical distinction here is wiper versus ransomware, and I cannot emphasize this enough: when you get hit with ransomware, your data is encrypted and the attacker has a key. It’s catastrophic, it’s expensive, and the recovery path involves either paying the ransom or restoring from backups. It’s terrible. But there is a recovery path.

When you get hit with a wiper, the attacker doesn’t encrypt your data. They delete and overwrite it. Deliberately, systematically, and in many cases irreversibly. There is no decryption key to buy. There is no negotiation. The goal is not financial extortion — it is operational destruction. The wiper is deployed because the attacker wants your systems to be dead and your data to be gone. That is the objective. Not money. Destruction.

The history of wiper malware in geopolitical contexts is instructive. NotPetya in 2017 — originally deployed against Ukrainian infrastructure by Sandworm, Russia’s GRU cyber unit — spread globally and caused an estimated $10 billion in damages. Maersk lost 45,000 PCs and 4,000 servers. Merck lost 30,000 computers. The pharmaceutical giant needed to borrow vaccines from the US government’s emergency stockpile because their manufacturing systems were destroyed. Shamoon targeted Saudi Aramco and wiped 35,000 machines. These are not hypotheticals. Wiper attacks on critical infrastructure have a documented track record of catastrophic, lasting damage.

Stryker operates at the intersection of medical technology manufacturing, surgical systems, and hospital supply chains. A wiper attack that takes Stryker’s operational systems offline doesn’t just disrupt a technology company. It potentially disrupts the supply chain for surgical equipment and implants, the maintenance and software update infrastructure for Stryker-manufactured surgical robots and imaging systems in active clinical use, and the company’s ability to respond to device recalls or safety alerts for their products. That last one is not a hypothetical concern — the FDA requires medtech companies to maintain the capability to issue timely safety communications and recalls. A company with destroyed operational systems has a compromised ability to fulfill that requirement.

As I’ve written in my research on the Fourth Turning dynamics that are driving escalatory geopolitical crises, we are in a period of accelerating hybrid conflict where the boundary between state action, state-proxied action, and politically motivated non-state action is increasingly difficult to draw. Handala’s claimed attacks are the operational expression of this dynamic. An Iranian-linked hacktivist group targeting a major American medtech company is not random. It is a calculated expression of geopolitical grievance through a target that causes demonstrable harm while maintaining some degree of deniability for the state that backs the group.

The Handala Context — Who These People Are

Handala is not a new actor and this is not their first major claimed operation. The group emerged in the context of the Israel-Palestine conflict, claiming a range of intrusions against Israeli targets, Israeli government and military contractors, and companies with ties to Israeli interests or American defense and technology sectors. They operate under a loosely organized hacktivist structure but with apparent access to more sophisticated tools and capabilities than a typical independent hacktivist collective — which is consistent with state-sponsored backing or at minimum state-tolerated operational support.

Wiper malware deployment requires significantly more capability and preparation than a standard ransomware affiliate campaign. Wipers need to be planted and configured in the target environment, typically during a prior reconnaissance and initial access phase. The wiper itself needs to be designed or adapted to work against the specific OS environments in the target organization. And the deployment timing needs to be chosen to maximize damage — run the wiper on Friday night, when the weekend provides additional dwell time before full incident response is activated.

The fact that Handala is claiming a wiper deployment against a Fortune 500 medtech company suggests either a significant capability escalation from their previous operations, or — and this is worth considering — that this wiper capability was provided or assisted by a state actor with an interest in demonstrating the capability to disrupt US critical industry without the direct attribution fingerprints of a nation-state operation. Iran has documented offensive cyber capabilities and a history of deploying destructive malware. Handala provides the plausible deniability layer.

My earlier research on submarine cable infrastructure and the dynamics of critical infrastructure attacks documents the strategic logic of critical infrastructure targeting: the goal is not to defeat an adversary in conventional military terms but to demonstrate the credibility of a retaliatory capability, impose economic and operational costs, and force defensive resource allocation. A wiper attack on Stryker accomplishes all three simultaneously. It costs Stryker enormous resources to recover. It forces the US medtech sector to allocate defensive investment. And it demonstrates that Iranian-linked actors can reach inside major American industrial companies and destroy their systems.

Why Medtech Specifically Is a High-Value Wiper Target

The medtech sector has a specific vulnerability profile that makes it attractive for destructive attacks beyond just the strategic signaling value.

Medtech companies manufacture and maintain software-driven medical devices. Their internal IT systems are not separate from their operational significance — they include manufacturing execution systems (MES) for regulated medical device production, software update and patch delivery infrastructure for devices already deployed in hospitals, regulatory submission and documentation systems, and quality management system (QMS) databases that track device history, complaints, adverse events, and recall history. These systems are deeply entangled with regulatory compliance requirements.

FDA-regulated medical device manufacturers have documented Quality System Regulation (QSR) and MDR obligations that require them to maintain specific records and respond to adverse events on defined timelines. If those systems are wiped, the company doesn’t just have an IT problem. They potentially have a regulatory compliance problem. And a device safety problem, if their ability to issue urgent safety communications is impaired.

As I covered in the CISA KEV addition for Apple iOS zero-days, the intersection of consumer technology, critical infrastructure, and targeted threat actor operations is increasingly where the highest-consequence incidents originate. Stryker is the manufacturing and technology backbone of a significant portion of US surgical practice. Taking it offline with a wiper is not a cybercrime incident. It is a geopolitical act dressed in hacktivist clothing.

What Went Wrong — The Wiper Threat Model Nobody Prepares For

Here’s the brutal truth about wiper preparedness in the enterprise: most organizations design their security posture around two primary threat scenarios — ransomware (data encrypted, pay for key or restore from backup) and data theft exfiltration (data taken, manage the breach). The wiper scenario — data systematically destroyed with no recovery option other than backups — gets less attention in most enterprise security architectures because it was historically associated primarily with nation-state attacks on geopolitical targets.

That calculus has changed. The expansion of wiper capability to state-proxy hacktivist groups like Handala means that any company with sufficient political or symbolic significance as a target now faces a credible wiper threat. Medtech companies with US defense contracts. Tech companies with Israeli business relationships. Healthcare systems serving specific population groups. The threat model has broadened beyond the universe of organizations that believed they were nation-state targets.

The other thing that goes wrong in wiper scenarios: backup coverage is designed against hardware failure and ransomware, not against systematic data destruction with lateral spread. A wiper that gains domain admin access and then runs against all domain-joined systems simultaneously will hit systems faster than backup schedules refresh. If your most recent backup is 24 hours old and the wiper destroyed 18 hours of production data, you have an 18-hour data loss gap that you cannot recover from backup.

The Fixer’s Advice — Defending Against Wiper Malware

This is substantially different from ransomware defense, and if you’re only doing ransomware-oriented security, you have gaps. Here’s what changes.

1. Segment and isolate backup infrastructure completely from domain trust. A domain-joined backup system with a domain admin credential is a wiper target. Backup infrastructure should not be domain-joined. It should use separate, isolated authentication that cannot be reached from a compromised domain credential. Air-gapped or network-isolated backup copies that the wiper cannot reach from any domain-connected session are not optional for environments with elevated threat profiles. They are the baseline.

2. Adopt immutable storage for backups — specifically write-once, read-many (WORM) storage. Cloud storage services like AWS S3 Object Lock, Azure Blob Immutable Storage, and equivalent on-premises solutions provide immutability that prevents modification or deletion of backup data even by authenticated credentials. A wiper cannot delete what it can’t write to. This is the single most important architectural control against wiper-style attacks.

3. Implement cross-environment backup replication. Your primary backup copies should exist in a different environment from your production systems — different cloud account, different provider, different physical infrastructure. A wiper that destroys everything in your primary environment cannot touch backup copies in a separately controlled environment. This is true for ransomware too, but for wiper scenarios it’s the difference between recovery and total loss.

4. Increase backup frequency for critical operational systems. If your manufacturing execution systems, QMS databases, and regulatory documentation systems back up once every 24 hours, you have up to a 24-hour data loss exposure in a wiper scenario. Increase backup frequency for your most critical and hardest-to-reconstruct systems. Regulatory documentation that took months to generate should have multiple daily backup points.

5. Build detection for domain-wide mass file write operations. Wiper malware characteristically writes to large numbers of files across many hosts in a short time window. This behavioral pattern — mass concurrent file modification or deletion across multiple systems, often beginning from a single compromised account or system — is detectable by SIEM behavioral analytics if the rules exist. Build them. A rule that alerts on “more than X concurrent file modifications across more than Y hosts within Z minutes from a single initiating identity” won’t catch everything, but it will catch the mass deployment phase of most wiper tools.

6. Threat model for politically motivated destructive attacks specifically. If your company operates in sectors or with relationships that make you a plausible political target for groups like Handala, your threat model needs to explicitly include destructive wiper scenarios in addition to financial crime scenarios. Run a tabletop for “wiper deployed from compromised domain admin credential, Friday night, holiday weekend.” What is your 24-hour response? Who authorizes emergency recovery spend? What regulatory obligations trigger immediately? What do you tell the FDA if your QMS is destroyed? Have answers before the scenario is real.

7. Consider Privileged Access Workstations (PAWs) and tiered admin models for domain credentials. The common thread in most catastrophic wiper deployments is that the attacker obtains domain administrator credentials during the reconnaissance phase. Tiered administrative models — where domain admin credentials are used only from physically isolated Privileged Access Workstations that have no internet access and no standard application use — significantly reduce the attack surface for domain admin credential theft.

The geopolitical context here is not going to calm down. As I’ve documented in my research on NATO burden-sharing and European security dynamics, the current strategic environment is one of elevated tension and accelerating hybrid conflict on multiple fronts. Iran-linked hacktivist operations targeting US critical industry are one expression of that environment. Stryker is the story that makes the news today. The question is which medtech, industrial, or healthcare organization is the story next month.

Build the wiper defenses now. They’re not the same as ransomware defenses. Most organizations don’t have them. Fix that.