How Infostealers May Have Opened the Door to the Stryker Wipe
Medical technology giant Stryker Corporation is reeling from a massive, coordinated cyber attack that has reportedly bricked over 200,000 global endpoints and deleted 50 terabytes of data. The assault, launched shortly after midnight on March 11, 2026, bypassed traditional defenses and likely weaponized the company’s own administrative tools to trigger a global reset or “wipe” of its hardware.
The Iran-linked threat group Handala has claimed responsibility for the “global network disruption,” framing the destruction as a retaliatory strike. Early reports and internal analysis suggest this wasn't a typical ransomware play, but a coordinated wiper attack that left laptops, desktops, and servers across the globe neutralized.
In an era where most major incidents are defined by extortion, the Stryker incident appears to be pure sabotage. By examining the trail left in infostealer logs and the likely abuse of centralized device-management stacks, we can see how this new chapter in cyber warfare was written.
Below, we unpack the intersection of high-value identity theft and the weaponization of administrative tools to explain why an infostealer can be one of the most dangerous fuses in your environment.
Destructive tactics in a ransomware world
Ransomware attackers care about leverage. They want a "carrot" (a decryption key or a promise not to leak data) so they can get paid and generally don’t destroy data because you can’t extort a pile of ashes.
Destructive operations are different because the goal is operational, reputational, or geopolitical damage. Historically, we’ve seen this wiper behavior in politically charged cases, like Shamoon (Saudi Aramco), NotPetya (Ukraine), and Destover (Sony Pictures).
This shift from extortion to destruction fundamentally changes the risk profile for US businesses.
These incidents all share a specific signature: a political target and tradecraft that prioritizes disruption over profit. The Stryker incident checks these boxes:
Political motive: The Iranian-linked group Handala claimed credit, explicitly tying the attack to the broader Middle East conflict.
The wipe signature: Reports of wiped endpoints and a crippled Microsoft environment without a ransom note signal the abuse of administrative tools rather than a typical ransomware play.
This shift from extortion to destruction fundamentally changes the risk profile for US businesses. While many clients feel they can out-negotiate a ransom or recover from backups, you simply can’t negotiate with a politically motivated actor intent on deletion.
What we can see from the outside
Stryker’s public message describes a global disruption to its Microsoft environment, but there’s been no mention of ransomware, no classic malware signatures, and no ransom demand.
Independent reporting and employee anecdotes paint a more aggressive picture. Staff were reportedly instructed not to log in; those who did found devices completely wiped.
Stryker’s public message describes a global disruption to its Microsoft environment, but there’s been no mention of ransomware, no classic malware signatures, and no ransom demand.
Taken together, this is more consistent with abuse of administrative tooling at scale than with a typical ransomware infection. It suggests attackers who didn't just break in, but took over the command and control center of the enterprise.
Notably, Stryker’s governance pages indicate they have chosen not to purchase cyber insurance. To be clear, this doesn’t imply a lack of security. Stryker touts a "thorough global security program" and multiple certifications. However, by opting out of cyber insurance, they intentionally left one of the most effective external feedback loops on the table.
The credential problem hiding in plain sight
While emphasizing that we don’t know, and may never know, the initial access vector used by the attacker, analysis of our infostealer‑sourced credential data tied to Stryker identities is particularly noteworthy.
In the months leading up to the incident, infostealer infections tied to Stryker accounts leaked credentials gating:
Enterprise SSO / identity providers (IDP, ADFS): The primary gateways to the cloud.
Service desk / ITSM systems: The internal workflow engines used by IT operations.
Privileged password management platforms: The vaults holding the company's most sensitive secrets.
If those credentials were still valid at the time of the attack, an adversary with that bundle of infostealer output would have held a devastating advantage. They would have possessed a clear path to log into core SaaS and admin surfaces, along with enough context to understand how incidents are routed, which systems are critical, and who holds which roles.
With the amount of wiping that’s been reported, Stryker themselves may never be able to identify a definitive patient zero if, in fact, compromised credentials were the initial access route of the attack. However, based on what is visible in the data and how these environments are typically built, this is a credible candidate for the root cause. This foothold is precisely what can be turned into enterprise-wide device‑level control with a few bad decisions or misconfigurations in the victim environment.
If those credentials were still valid at the time of the attack, an adversary with that bundle of infostealer output would have held a devastating advantage.
Maximum damage: Wiping an entire company
When an attacker lands in a business’ identity and admin systems, they don’t need bespoke malware to cause catastrophic damage. This incident provides a blueprint for a devastatingly simple attack chain that is perfectly tuned to exploit the technologies Stryker depended on.
A very realistic scenario for how this unfolded looks like this:
1. Silent entry
An infostealer compromises an employee’s system, silently capturing SSO/IDP logins, internal ITSM platform access, and credentials for an enterprise password manager.
2. Data hand-off
The data is sold by an initial access broker or otherwise ends up in the hands of a threat actor aligned with Handala.
3. Administrative pivot
The attacker uses those credentials to log into the SSO identity console or an ITSM system that integrates directly with endpoint management. From there, they either land in an Intune administrator role or use their access to group memberships and password managers to escalate into one.
4. Devices wiped
With Intune-level authority, the attacker doesn't need to write a single line of code. They simply use the platform's native functionality to issue wipe or reset commands to a massive number of Windows endpoints and mobile devices.
Overnight, a sophisticated company finds itself with thousands of bricked endpoints and a crippled Microsoft environment, but no ransom note or decryption key to negotiate over.
None of this requires exotic zero-days. It requires valid credentials from an infostealer, generous admin roles glued together across SSO, ITSM, and device management, and a threat actor willing to use a business’ own tools as the wiper.
Both a target of opportunity and a target of choice
Two distinct narratives explain why Stryker was hit, and they aren’t mutually exclusive. In fact, their intersection is what made the attack so devastating.
Target of opportunity
The data suggests that Stryker was a low-hanging fruit from a technical standpoint. Malware-sourced enterprise credentials for Stryker identities were already available on the dark web. Crucially, at least one high-value identity held exactly the blend of access required to run a destructive device-management play. This pre-existing exposure made Stryker a much easier technical target than a random organization with no such data leaked.
Crucially, at least one high-value identity held exactly the blend of access required to run a destructive device-management play.
Target of choice
Disrupting a massive US-based medical technology firm that impacts more than 150 million patients annually creates immediate, tangible pain for hospitals, clinicians, and patients. This disruption sends a loud, visible political message that aligns with the retaliatory framing Handala has used in their own messaging. The group explicitly cited retribution for military strikes and Stryker’s connections to both the US military and Israeli medical firms as justification for the strike.
The ugly reality
When you combine these two factors, a simple but ugly picture emerges: A politically motivated actor appears to have used readily available, stolen enterprise credentials to turn Stryker’s own device-management capabilities into a destructive weapon.
How Coalition intersects with the Stryker attack
Coalition has a highly tuned system that we use for both risk selection at the time of underwriting and risk reduction for Coalition policyholders. It starts with feeds of infostealer log data filtered to just our policyholders and then further filters for access to highly sensitive or risky systems.
Three of the high‑value services in accounts discussed above (SSO/IDP, ITSM, and password management) are explicitly covered in our screening. When we see those targets in infostealer data tied to a company, it leads to security decisions and critical notifications for both prospects and policyholders.
If Stryker had engaged with Coalition, there are two critical points where that would have mattered:
1. During underwriting
If Stryker had applied for cyber insurance from Coalition before this incident, and we had observed these enterprise credentials in infostealer-sourced data, our response would have been straightforward: We would have triggered a “Stolen Credentials from Malware Infection” contingency.
To bind the policy, we would have required evidence of:
Rotating affected passwords and secrets
Cleaning up infostealer infections on all affected endpoints
Re‑validating admin roles and MFA for sensitive systems, specifically identity and device management.
This is the under‑appreciated benefit of Active Insurance: the underwriting process itself becomes a forcing function for cleaning up real, observable risk rather than just filling out a static questionnaire.
2. During the policy period
If Stryker had already been a Coalition policyholder when those leaks appeared, the intervention would have moved into our Active Protection phase. Stryker would have:
Received an immediate security alert in Coalition Control® regarding the stolen enterprise credentials.
Had direct access to our team to walk through what these leaks mean for their specific IDP, ITSM, and device‑management risk.
Received guidance on prioritizing credential rotation and endpoint cleanup.
Had the option to involve Coalition Incident Response for deeper investigation and containment, even before the situation escalated to a formal claim.
Based on the timestamps we observed for the leaked credentials versus the public disclosure of the attack, this intervention likely would have occurred before the destructive activity began.
While no tool is a 100% guarantee, this type of early warning and remediation work makes this specific attack path much harder for an adversary to pull off.
Important lessons for defenders
You don’t need to be a global giant like Stryker for this incident to be relevant. The commodity-to-catastrophe pipeline is a risk for any organization using centralized cloud management. Here are a few practical takeaways:
Treat infostealer-sourced credentials as existential risk.
When stolen credentials touch your IDP, ITSM, password managers, VPNs, or financial software, you have a live fire on your hands. These are not "low-level" alerts; they are the early indicators of a potential total loss.
Assume your device-management stack can be turned into a wiper.
Recognize that your own tools can be used against you by a threat actor. Intune and similar tools are incredibly powerful, and threat actors don’t need to have destructive aims to repurpose your own tools in their pursuit of their goals. Living off the land (LOTL) is a tried-and-true tactic for threat actors, and if they can accomplish their goals without having to bring new files into the environment, they know that it makes them more stealthy, and they’ll choose to do it every time. Limit who can wield that power and how roles are chained together across SaaS platforms.
Plan explicitly for destructive scenarios.
Plan explicitly for destructive scenarios. Many business continuity or disaster recovery plans anticipate recoverability from backups but may not consider the possibility that backups are also inaccessible. Make sure you have answers for:
“What if thousands of endpoints are wiped in a single day?”
“What if our admins’ devices are the first ones to go down?”
“How do we safely rebuild device-management trust from scratch?”
Use external telemetry and insurance pressure to your advantage.
Use external telemetry and insurance pressure to your advantage. When a cyber insurer tells you, “your admin credentials are for sale on the dark web,” you should respond swiftly and thoroughly.
Stryker’s situation is serious, and it is easy to armchair-quarterback from the outside. The more constructive move is to recognize that some version of this story can play out in any large, Microsoft-centric enterprise. Use this event as a prompt to tighten your identity, device-management, and malware-sourced-credential posture now, while you still have the luxury of doing it on your own schedule.