Medical technology manufacturer Stryker has suffered a significant cyberattack that forced the company offline and disrupted operations worldwide, according to reports and a regulatory filing. The attack has been attributed to Handala, a hacktivist group linked to Iranian actors and known for targeting organisations with destructive malware that wipes systems. The incident has affected tens of thousands of systems and servers across Stryker’s global network, leading to shutdowns at offices in dozens of countries and prompting an ongoing effort to restore affected systems and services.
Handala claims it stole about 50 terabytes of data before deploying wiper malware that wiped more than 200,000 systems, servers, and mobile devices connected to Stryker’s infrastructure. The group said systems in 79 countries were forced offline, greatly affecting the company’s ability to operate normally. Images shared by the attackers showed that Stryker’s login page had been defaced with a Handala logo, reflecting the extent of the compromise. Individuals claiming to be Stryker employees in the United States, Ireland, Costa Rica, and Australia reported that devices enrolled in the company’s mobile device management platform were wiped remotely in the early hours of Wednesday, disrupting access to essential corporate applications and data.
A number of Stryker employees said personal devices used for work purposes were also affected when those devices were enrolled in the company’s management systems. Staff were instructed to remove corporate management tools from their personal devices, including tools for accessing work email, communication platforms, and virtual private networks, to prevent further unintended loss of personal data. In some locations, the attack forced staff to return to manual processes, using pen and paper when access to internal services became unavailable. The widespread loss of access to digital systems highlighted how deeply the attack penetrated the company’s operations.
Following initial reports of widespread disruption, Stryker confirmed the cyberattack in a Form 8 K filing submitted to the U.S. Securities and Exchange Commission. The filing acknowledged that the company identified a cybersecurity incident on March 11, 2026, that affected certain information technology systems and resulted in a global disruption of its Microsoft environment. The company indicated that it activated its cybersecurity response plan, engaged external advisors and cybersecurity experts to assess and contain the threat, and launched an internal investigation. In its statement to investors and regulators, Stryker said that at this time it did not have any indication that ransomware or malware was involved and believed that the incident was contained.
Despite the company’s assessment that the threat has been contained, Stryker warned that the incident will continue to disrupt its work environment, including access to networked systems and business applications used in its daily operations. The filing noted that the company did not yet have a timeline for when full restoration of services and systems would be completed. Stryker’s global sales reached $22.6 billion in 2024, and it employs more than 53,000 people worldwide, making the impact of this attack significant for both employees and customers who depend on its medical and surgical technology products.
Handala first emerged in late 2023 and is also known by names such as Handala Hack Team, Hatef, or Hamsa. The group has been linked by cybersecurity analysts to Iran’s Ministry of Intelligence and Security and has a history of targeting organisations with malware designed to destroy Windows and Linux based systems while exfiltrating sensitive data. It is also known to publish data stolen from victims on public data leak sites associated with the group. The Stryker attack marks one of the most disruptive incidents attributed to Handala to date, illustrating the growing threat posed by wiper malware operations and the challenges that major corporations face in defending against such destructive attacks in an interconnected digital economy.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
