Medtech giant Stryker offline after Iran-linked wiper malware attack

Update: Story updated with a statement from Stryker confirming they suffered a disruptive cyberattack.

Leading medical technology company Stryker has been hit by a wiper malware attack claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group.

The medtech giant manufactures a range of products, including surgical and neurotechnology equipment. With over 53,000 employees, Stryker is a Fortune 500 company that reported global sales of $22.6 billion in 2024.

Handala says they stole 50 terabytes of data before wiping tens of thousands of systems and servers across the company’s network, forcing Stryker to shut down in “an unprecedented blow.”

“In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted,” the attackers said. “Stryker’s offices in 79 countries have been forced to shut down.”

This aligns with reports from people claiming to be Stryker employees from the United States, Ireland, Costa Rica, and Australia, who said their managed Windows and mobile devices were remotely wiped in the middle of the night. The attackers have also defaced the company’s Entra login page to display a Handala logo.

A Stryker employee told BleepingComputer the incident began early Wednesday morning, when devices enrolled in the company’s mobile device management system were remotely wiped. The employee said colleagues who had personal phones enrolled for work access also lost data after their devices were reset.

Staff were instructed to remove corporate management and applications from their personal devices, including the Intune Company Portal, Teams, and VPN clients.

Numerous employees also report that the attack disrupted access to internal services and applications, forcing some locations to revert to “pen and paper” workflows after systems became unavailable.

As a result of the attack, Stryker is now working to restore their systems amid a global outage, as first reported by The Wall Street Journal.

“We are experiencing a severe, global disruption impacting all Stryker laptops and systems that connect to our network,” Stryker told employees in Cork, Ireland, according to local media.

“At this time, the root cause has not yet been identified. We are actively engaged with Microsoft and treating this a critical, enterprise-wide incident,” the company added in a message sent to employees in Asia.

Handala (also known as Handala Hack Team, Hatef, Hamsa) first surfaced in December 2023 as a hacktivist operation linked to Iran’s Ministry of Intelligence and Security (MOIS) that targets Israeli organizations with destructive malware designed to wipe Windows and Linux devices.

They are also known for stealing sensitive data from victims’ compromised systems and publishing it on the group’s data leak portals.

Stryker confirms cyberattack

After publishing this story, Stryker filed a Form 8-K with the SEC, confirming that it suffered a cyberattack that impacts its entire Microsoft environment.

“On March 11, 2026, Stryker Corporation (“we” or the “Company”) identified a cybersecurity incident affecting certain information technology systems of the Company that has resulted in a global disruption to the Company’s Microsoft environment,” reads the 8K filing.

“Upon detection, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors and cybersecurity experts to assess and to contain the threat.”

“The Company has no indication of ransomware or malware and believes the incident is contained.”

The company says the incident will continue to disrupt its work environment, including access to network systems and business applications used in its operations, while they restore systems.

However, Stryker says it does not have a timeline for when everything will be restored.