On March 10, 2026, Stryker, a leading US-based medical technology company, suffered a significant cyberattack that disrupted its global operations. The incident, identified as a destructive wiper attack rather than traditional ransomware, led to the permanent deletion of data across employee laptops, mobile devices, and other Windows-based remote systems. This attack effectively crippled Stryker’s internal IT infrastructure, causing widespread operational paralysis across its sites in Europe, Asia, and the United States.
Stryker employs approximately 56,000 people worldwide, including around 4,000 employees at its Cork, Ireland facility. According to reports, all IT systems at the Cork base remained offline for several days, leaving thousands of Irish employees unable to perform their duties. Internally, the company faced challenges in order processing, manufacturing, and shipping due to the IT disruption. Notably, the company stated that the attack did not affect its connected medical devices or patient care operations, which helped mitigate broader healthcare risks.
The threat actor behind this attack is believed to be Handala, an Iran-linked hacking group. Handala claimed responsibility for the operation, asserting it was retaliation for a missile strike on an Iranian school earlier in March 2026. The group alleged that over 200,000 systems—including servers and mobile devices—were wiped and that 50 terabytes of critical data were extracted. However, Stryker has not independently confirmed the data theft or verified the full scale of the destruction claimed by the attackers. The company also clarified that no ransomware or malware was detected during their investigation, highlighting that this was a targeted destructive attack focusing on wiping systems rather than encrypting data for ransom.
Open-source reports and company statements indicate that the attackers may have exploited Microsoft Intune or similar remote management tools to issue wipe commands to employee devices connected to the corporate network. This method allowed the threat actors to remotely delete data on devices running Windows operating systems. The exact initial access vector remains unconfirmed, and Stryker continues to investigate the full scope of the breach.
In response to the incident, Stryker engaged with Microsoft and treated the event as a critical enterprise-wide disruption. By March 17, 2026, the company reported containing the breach and focusing on restoring critical systems needed to resume customer support, orders, and shipping operations. The financial impact of the incident is still under assessment, and the full recovery timeline has not been publicly disclosed. Importantly, no customer or patient data appears to have been compromised, and there were no reported impacts to connected medical products such as the Mako surgical system.
This incident underscores the evolving threat landscape faced by organizations in the medical technology sector. To better protect themselves, companies should consider the following recommendations:
- Implement robust endpoint security: Regularly update and patch all employee devices, particularly those connecting remotely, to reduce vulnerabilities.
- Harden remote management tools: Secure platforms like Microsoft Intune with multi-factor authentication, strict access controls, and continuous monitoring to prevent abuse by threat actors.
- Develop and test incident response plans: Prepare for destructive attacks by establishing clear protocols to isolate affected systems, communicate internally and externally, and restore operations swiftly.
- Regular backups and data recovery: Maintain secure and tested backups offline to ensure data restoration capabilities after wipe or destructive attacks.
- Employee training and awareness: Educate staff on cybersecurity best practices and phishing detection to minimize initial intrusion risks.
The Stryker attack illustrates how geopolitical tensions can manifest in cyber operations targeting critical industries. While the full details and motivations remain partially unverified, organizations must remain vigilant and proactive in strengthening their cybersecurity postures to mitigate such destructive threats.
Sources: Irish Mirror (irishmirror.ie), Ransomware.Live, and Perplexity Research reports as of March 2026.
Source: Stryker cyber attack: Thousands of Irish unable to work as hackers cripple global systems | Data from Ransomware.live | Generated with AI assistance