The wiper era: why your ransomware IR plan has a gap
Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
On March 11, 2026, Handala wiped 200,000+ devices across Stryker’s Microsoft environment in 79 countries using Microsoft Intune’s remote wipe capability. Five days on, security teams are still absorbing the implications. Forrester published an analysis this week noting that enterprise resiliency plans have systematically failed to account for UEM/MDM as an attack surface – a gap this incident made impossible to ignore.
Changelog
| Date | Summary |
|---|---|
| 16 Mar 2026 | Initial publication. |
When Handala wiped Stryker’s Microsoft environment on March 11, the company had backups. Backups don’t help when 200,000 devices across 79 countries are simultaneously factory-reset via the organisation’s own device management platform.
The incident – covered in detail here – is notable not just for its scale but for what it reveals about a structural gap in enterprise incident response planning. Most IR playbooks were written with ransomware in mind. Wipers don’t care about your playbooks.
The ransomware-era assumption
Enterprise IR planning calcified around ransomware over the last decade for understandable reasons. Ransomware dominated the threat landscape. It was financially motivated, followed recognisable patterns, and generated a substantial body of case studies to learn from. The response model that emerged – detect, contain, restore from backup, negotiate if necessary – made sense for the threat.
There’s also a perverse stability built into ransomware economics. An attacker who encrypts your data and demands payment has a financial incentive to provide a working decryption key. Their reputation depends on it. This creates a strange negotiating dynamic: the attacker needs you to recover almost as much as you do. It doesn’t make ransomware acceptable, but it does mean recovery has a path.
Entire industries grew up around this model: ransomware negotiators, decryption key brokers, cyber insurance products priced around ransom payment scenarios. The playbook assumes an attacker who wants something from you.
Wipers eliminate that assumption entirely.
What wipers actually are
A wiper isn’t ransomware without a payment mechanism. It’s a fundamentally different class of attack with a different objective. Where ransomware encrypts data to hold it hostage, a wiper destroys data – and often the systems that hold it – with no recovery path and no negotiation possible. The goal isn’t extortion. The goal is destruction.
NotPetya in 2017 was the first major demonstration of this at enterprise scale. It wore ransomware’s interface – it displayed a ransom demand – but Kaspersky’s analysis quickly established that the encryption was irreversible: the attacker hadn’t preserved the keys needed for decryption even if victims paid. The $10B+ in damages across Maersk, Merck, and FedEx wasn’t the result of a ransomware attack that got out of hand. It was a wiper doing exactly what it was designed to do.
The pattern continued. Shamoon/DistTrack wiped 35,000 workstations at Saudi Aramco. Olympic Destroyer targeted the 2018 Pyeongchang Olympics. HermeticWiper and CaddyWiper were deployed against Ukrainian infrastructure in 2022. In 2025, wiper malware appeared in 22% of confirmed nation-state incidents. These aren’t ransomware attacks with a missing ransom note – they’re a distinct threat category with distinct response requirements.
The critical difference for incident response: when a ransomware attack activates, you start negotiating your recovery. When a wiper activates, you start counting your losses.
Nation-state proxies operate on different incentives
Handala isn’t a ransomware gang. It’s a pro-Iran, Palestinian-aligned threat actor operating with geopolitical objectives, not financial ones. Its stated motivation for the Stryker attack was retaliation for a school bombing in Minab – the attack was claimed as a political statement, not a business operation.
This matters for how you model the threat. Criminal ransomware groups are profit-maximising: they avoid targets that attract too much law enforcement attention, they maintain operational consistency, they protect their negotiating reputation. A nation-state proxy is mission-oriented. The constraint isn’t “will this make money?” – it’s “does this advance the objective?”
Stryker is a Fortune 500 medical device manufacturer. It wasn’t targeted because it had weak defences or because its data was particularly valuable. It was targeted because hitting a major US healthcare company during a geopolitical flashpoint makes a statement. The attack was the message. The damage was the point.
This changes how you should think about threat scenarios. Most enterprise security planning models attackers who are rational economic actors – they attack when the expected value exceeds the expected cost. Nation-state proxies operating on geopolitical mandates don’t fit that model. They’re not deterred by making yourself a harder target in the normal sense. If you’re a symbolic target, deterrence requires different thinking.
The implication for IR planning: the question isn’t just “how do we recover?” but “why were we targeted?” – because the answer changes everything about what comes next.
MDM as a weapon
The mechanism Handala used at Stryker is worth examining carefully, because it’s the part that makes conventional security controls irrelevant.
The attackers gained access to privileged administrative accounts in Stryker’s Microsoft environment – specifically Entra ID and the Intune MDM admin console. With that access, they issued a mass remote wipe command to all enrolled devices globally. Before doing so, they exfiltrated approximately 50 terabytes of data.
The wipe itself was not malware. No custom payload, no exploit, no endpoint detection trigger. A device management system issuing wipe commands to enrolled devices looks exactly like… a device management system issuing wipe commands. That’s normal MDM operation. It’s how you factory-reset a lost employee phone. It’s how you decommission an endpoint. Scaled to 200,000 devices simultaneously, it becomes catastrophic – but the individual action is indistinguishable from legitimate administrative activity until you look at the pattern.
This is the same class of problem as living-off-the-land (LOLbin) attacks, where attackers use trusted, pre-installed system tools rather than custom malware. The tools are whitelisted because they’re supposed to be there. Security controls that scan for malware don’t flag PowerShell running a script. And security controls that monitor MDM activity don’t flag wipe commands – because administrators issue wipe commands legitimately.
The blast radius problem is significant. A single compromised Intune administrator account can initiate a global device wipe in minutes. No malware required. No secondary payload to detect. The Stryker incident is a case study in why MDM admin access is now tier-one critical infrastructure – not a supporting tool, but a weapon with global reach if it falls into the wrong hands. The privileged identity problem predates this incident, but Stryker has made the stakes viscerally clear.
Why backups aren’t the answer alone
The standard response to any ransomware or data destruction scenario is: restore from backup. This is sound advice, within limits. Those limits become apparent at Stryker’s scale.
First, the speed problem. Wipers move fast. Modern ransomware groups already try to enumerate and destroy backup systems before the encryption phase activates – wipers are optimised for this. If your backup infrastructure shares credential chains with your production environment (and in many Microsoft 365 deployments, it does), a compromised admin account reaches both. The Stryker attackers had access to Entra ID: backup systems accessible through that identity plane are not isolated backups.
Second, the scope problem. Restoring 200,000 endpoints is not a technical operation – it’s a logistics operation. Each device needs a clean image rebuild, MDM re-enrollment, re-authentication, and application re-provisioning. At global scale across multiple time zones and geographies, this takes weeks, not days. Manufacturing halts because device restoration runs at human speed, not script speed.
Third, the recovery-during-crisis problem. When your MDM platform is compromised, re-enrolling devices in that platform before you’ve secured it creates a second attack surface. You can’t restore into a compromised management plane. Recovery requires sequencing: secure the management layer first, then restore devices – which means the restoration clock doesn’t start until you’ve done the harder investigation work.
Backups are necessary. They’re not sufficient. The question isn’t “do we have backups?” – it’s “can our backup restoration outpace a wiper propagating through a fully-enrolled device fleet, starting from a clean management layer?” For most organisations, the honest answer is: not at this scale. Blast radius minimisation isn’t just a nice-to-have architecture principle – it’s the difference between a serious incident and an existential one.
Building wiper-aware IR
A playbook built for ransomware needs five concrete additions to handle wiper threats from nation-state actors:
Privileged identity for MDM is non-negotiable. The Stryker attack was enabled by compromised admin credentials. Intune administrator, Global Administrator, and Entra ID privileged roles should require just-in-time elevation via Privileged Identity Management (PIM), with MFA, approval workflows, and session time limits. Standing access to these roles should not exist. This isn’t a new idea – it’s been best practice for years. Stryker demonstrates the cost of not implementing it.
MDM anomaly detection as a first-class alert. Monitoring for mass wipe commands, sudden bulk enrollment changes, or out-of-hours administrative actions from unfamiliar locations should trigger a high-priority alert – not an audit log entry. The pattern of a global wipe command from a single account in an unusual time window is detectable. The question is whether anyone is watching. Canary devices enrolled specifically to generate alerts on wipe commands provide an early-warning layer that can interrupt fleet-wide execution.
Backup isolation means credential isolation. Backups accessible through the same credential chain as production systems are not isolated. Air-gapped offsite backups that cannot be reached via Entra ID or MDM admin access are a different architectural requirement. This is more expensive and more complex to operate – it’s also the only backup strategy that survives a compromised admin plane.
Segment the management plane. Network segmentation that limits the blast radius of MDM-delivered commands is an architectural control, not an operational one. Devices enrolled in the same MDM tenant but segmented by geography, business unit, or criticality limit the scope of a single compromised admin account. A wiper that can reach 200,000 devices from one command is a different risk profile than one that can reach 5,000.
Plan for “we cannot recover these devices.” Standard IR planning asks: how long to restore? Wiper-aware IR asks: what do we do if we cannot restore? For some subset of wiped devices, the answer may be replacement, not recovery. Manufacturing equipment running embedded MDM-enrolled endpoints may have no restoration path at all. The contingency plan for “this class of device is permanently out of commission” should exist before you need it. The cost of inadequate preparation consistently exceeds the cost of building the plan.
The playbook hasn’t caught up
NotPetya demonstrated in 2017 that wipers were a serious enterprise threat. Eight years later, Handala walked into Stryker’s Microsoft environment, used a legitimate administrative tool to simultaneously destroy 200,000 devices globally, and stopped manufacturing at a Fortune 500 medical company.
The technology to do this has existed for years. The threat model was documented. The defences are known. What failed wasn’t knowledge – it was the gap between understanding the threat in the abstract and treating MDM administrator access as the critical attack surface it actually is.
Ransomware-centric IR planning isn’t wrong. But it’s incomplete for an attacker who isn’t looking for a payday. Nation-state proxies are operating on geopolitical timelines. They don’t need your decryption keys to work. They just need the wipe to land.
The threat model has shifted. The playbook needs to catch up.