Stryker rules out ransomware, confirms threat actor used non-propagating malicious file - Industrial Cyber

Attacks and Vulnerabilities Control device security Critical infrastructure Malware, Phishing & Ransomware Medical News Perimeter security Secure-by-Design Threat Landscape Stryker rules out ransomware, confirms threat actor used non-propagating malicious file March 26, 2026 Following its recent cybersecurity incident, medical technology giant Stryker said it found no indication of ransomware or malware. As the investigation progressed, alongside Palo Alto Networks’ Unit 42 and other experts, the company determined that the threat actor used a malicious file to execute commands, enabling them to conceal activity within its systems. The file was not capable of spreading, either within or outside the environment. “Our internal teams continue to work around the clock with external partners to make meaningful progress on our restoration efforts. We are grateful for the partnership and collaboration with government agencies and industry partners,” Stryker wrote in its latest update. “We believe the incident is contained, and we are prioritizing restoration of systems that directly support customers, ordering and shipping. Our internal teams, in partnership with third-party experts, reacted quickly to not only regain access but to remove the unauthorized party from our environment.” The update noted that, most importantly, the investigation has not identified any malicious activity directed towards customers, suppliers, vendors, or partners.  Unit 42’s latest findings are included in a General Assurance Letter that reaffirms Stryker’s belief that this incident is contained and that analysis has not identified any evidence of the threat actor accessing customer, supplier, vendor and partner systems as a result of this incident. “There is nothing more important to us than the customers and patients we serve, and we recognize the criticality of every procedure to every patient. We are working closely with our global manufacturing sites as operations continue to stabilize. Manufacturing capability is ramping quickly as critical lines and plants are brought back online, prioritizing patient needs. This is a 24/7 effort and the first priority of our entire organization.” Stryker had previously mentioned that it is “in close contact with the White House National Cyber Director, FBI, CISA, DHA, HHS and H-ISAC, and appreciate the ongoing support they have been giving us. We’re grateful to the government for their efforts to seize domains linked to the purported threat actors. Protecting the healthcare ecosystem against cyber threats is a priority that requires extensive public-private partnership. True to our commitment to transparency and a collective cyber defense, we are committed to sharing meaningful intelligence that strengthens the resilience of patient care worldwide.” Earlier this month, a suspected Iran-linked cyberattack disrupted global operations at Stryker, knocking internal systems offline and forcing the company to limit access to parts of its network. The intrusion, claimed by the pro-Iranian hacking persona Handala, is reported to have wiped corporate devices tied to the company’s Microsoft environment, prompting a rapid incident response to contain the breach and restore services. The disruption lands against a backdrop of escalating geopolitical tension following recent U.S. and Israeli strikes in Iran, raising the risk that state-aligned cyber actors may widen retaliatory campaigns to include Western enterprises and critical supply chains. Resecurity warns that the Iran conflict has rapidly evolved into a multi-domain confrontation where kinetic military operations are tightly integrated with cyber, electronic, and information warfare, marking a shift in how modern conflicts unfold. The analysis highlights sustained missile and drone strikes occurring alongside coordinated cyber campaigns driven by state-linked actors and proxy groups targeting critical infrastructure, enterprises, and government systems. This convergence is expected to persist, with cyber operations increasingly used to disrupt services, gather intelligence, and amplify geopolitical impact, even as physical hostilities continue across the region. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Rising breach costs and operational downtime redefine economics of OT cybersecurity making it boardroom priority ESET reports 78% of UK manufacturers face cyber incidents as disruption becomes widespread Hitachi Digital Services boosts OT-IT integration with Manufacturing Operations Management platform Dragos appoints Kaori Nieda as country manager to push market expansion in Japan Australia consults industry on reforms that would give authorities faster powers during critical infrastructure attacks Health-ISAC flags gaps in cyber resilience and incident response, calls for incident coordination and information sharing Iranian hackers target US critical infrastructure through ransomware proxies, KELA warns APT groups and ransomware gangs are turning Singapore into prime cyber target, Cyfirma report finds Radiflow and DEFENDERBOX join forces to enhance OT threat detection without disrupting operations Accenture unveils Cyber.AI platform powered by Anthropic’s Claude to transform security operations