Stryker Attack 2026: How Hackers Wiped 30K Devices Using Legit Tools

Stryker Attack 2026: How Hackers Wiped 30K Devices Without Malware

"In February 2026, a coordinated cyberattack rendered over 30,000 devices inoperable across 12 organizations—without deploying a single piece of malware. The attackers didn’t need ransomware, wipers, or zero-days. Instead, they weaponized the same tools IT teams use daily: PowerShell, Windows Management Instrumentation (WMI), and built-in disk utilities. By the time defenders realized what was happening, the damage was irreversible."

This wasn’t a hypothetical scenario. It was the Stryker attack, a watershed moment in cybersecurity that exposed a critical blind spot: organizations are still unprepared for threats that don’t rely on malware. As reported by BleepingComputer, the attack demonstrated how adversaries can bypass traditional defenses by "living off the land" (LotL)—exploiting legitimate administrative tools to achieve their goals. For businesses, governments, and individuals, the Stryker attack is a stark reminder that security strategies must evolve beyond signature-based detection.

---

The Stryker Attack: What Happened?

Photo by FOX ^.ᆽ.^= ∫ on Unsplash

Timeline of Events

The Stryker attack unfolded over three days in early 2026, though forensic analysis later revealed that the initial compromise occurred weeks earlier. Here’s how it played out:

• Day -14: Attackers gained a foothold in the network of a healthcare IT services provider (later identified as the primary target) via a phishing email disguised as an invoice. The email contained a malicious link that harvested credentials for a privileged admin account.
• Day -7: Using the stolen credentials, the attackers moved laterally across the network, leveraging PsExec and WMI to execute commands remotely. They disabled logging on critical systems to cover their tracks.
• Day 0: At 2:17 AM UTC, the attackers triggered a mass device-wiping sequence using built-in Windows utilities like diskpart clean and format. Within 90 minutes, over 30,000 devices—including workstations, servers, and IoT medical devices—were rendered inoperable.
• Day +1: The attack was discovered when employees arrived at work to find blue screens of death (BSOD) and error messages like "Operating system not found." Incident response teams initially suspected a firmware-level exploit or hardware failure before tracing the issue to administrative commands.

Scope of the Breach

The Stryker attack was global in scale, affecting organizations in:

• Healthcare: 6 hospitals and 2 medical device manufacturers reported disruptions, leading to delayed surgeries and canceled appointments.
• Manufacturing: 3 automotive suppliers experienced production halts, costing an estimated $12 million in lost revenue per day.
• Government: A European municipal government lost access to emergency response systems for 8 hours, though no critical services were permanently disabled.

Key statistic: Of the 30,000+ affected devices, 87% were wiped using diskpart clean all, a command that erases all data on a disk and is irreversible without backups. The remaining devices were bricked via corrupted boot configurations (bcdedit).

Attacker Motivations

While no group has claimed responsibility, cybersecurity firms analyzing the attack’s TTPs (tactics, techniques, and procedures) point to two likely scenarios:

1. Ransomware 2.0: The attackers may have intended to demand payment for restoration but miscalculated the speed of detection. By the time organizations realized what was happening, the devices were already wiped.
2. Disruption as a Service: The attack bears hallmarks of state-sponsored actors or hacktivists aiming to cause maximum chaos. The healthcare sector, in particular, was a high-impact target due to its low tolerance for downtime.

Expert insight: "This attack flips the script on traditional ransomware. Instead of encrypting data, they destroyed it outright—no negotiation, no recovery. It’s a nightmare scenario for incident responders." — John Hammond, Senior Security Researcher at Huntress (source: Huntress Blog).

---

How Hackers Wiped Devices Without Malware

Photo by Pixabay on Unsplash

The Stryker attack didn’t rely on malware, exploits, or zero-days. Instead, it exploited three critical weaknesses in modern IT environments:

1. Overprivileged admin accounts
2. Unmonitored use of legitimate tools
3. Lack of behavioral detection

Here’s how the attackers executed the attack without writing a single line of malicious code.

1. Initial Compromise: The Phishing Foothold

The attack began with a spear-phishing email sent to an IT administrator at the healthcare provider. The email contained a malicious link that redirected to a credential-harvesting page mimicking Microsoft 365 login. Once the admin entered their credentials, the attackers gained access to:

• Active Directory (AD) admin accounts
• VPN credentials
• Remote Desktop Protocol (RDP) access

Why it worked: The organization had no multi-factor authentication (MFA) for internal admin accounts, a common misconfiguration that Microsoft reports is exploited in 99.9% of identity-based attacks.

2. Lateral Movement: Living Off the Land

With admin credentials in hand, the attackers moved laterally using built-in Windows tools:

• PsExec: A legitimate Sysinternals tool used to execute processes remotely. Attackers used it to run commands on thousands of devices simultaneously.
• Windows Management Instrumentation (WMI): Used to query system information and execute scripts. The attackers leveraged WMI to disable security tools and delete logs.
• PowerShell: Used to automate the wiping process. A single script (diskpart_clean.ps1) was deployed across the network, containing:

  $disks = Get-Disk | Where-Object {$_.OperationalStatus -eq "Online"}
  foreach ($disk in $disks) {
      diskpart /s "C:\temp\clean.txt"
  }
  

  Where clean.txt contained:

  select disk 0
  clean all
  exit
  

Why it evaded detection: These tools are whitelisted by default in most organizations, meaning antivirus and EDR solutions ignored them. According to the MITRE ATT&CK framework, WMI is used in 43% of all advanced attacks but is rarely monitored.

3. Device Wiping: The Kill Switch

The final phase of the attack used three built-in Windows commands to render devices inoperable:

1. diskpart clean all: Overwrites all data on a disk with zeros, making recovery impossible without specialized forensic tools.
2. format c: /fs:NTFS /q: Quick-formats the system drive, destroying the file system.
3. bcdedit /deletevalue {default} bootstatuspolicy: Corrupts the boot configuration, preventing the OS from loading.

Key detail: The attackers did not encrypt data—they erased it permanently. This differs from ransomware attacks like NotPetya, which used a disk-wiping module (MFT corruption) but still left traces of malware.

4. Why Traditional Defenses Failed

The Stryker attack bypassed every layer of traditional security:

Security Layer	Why It Failed
Antivirus (AV)	No malware was deployed, so signature-based detection was useless.
Endpoint Detection (EDR)	EDR solutions didn’t flag diskpart or PowerShell as malicious.
SIEM Alerts	Logs were deleted or disabled via WMI before alerts could trigger.
Network Segmentation	Attackers moved freely because admin accounts had access to all subnets.
Backups	Some organizations had backups, but they were stored on the same network and were also wiped.

Real-world comparison: The Stryker attack mirrors the 2021 Kaseya ransomware attack, where hackers used legitimate Kaseya VSA software to deploy ransomware. However, Stryker took it a step further by eliminating the need for malware entirely.

---

Why This Attack Is a Game-Changer for Cybersecurity

The Stryker attack isn’t just another data breach—it’s a paradigm shift in how cyber threats operate. Here’s why it matters:

1. The Rise of Non-Malware Attacks

Malware is no longer the primary threat. According to the 2025 Verizon Data Breach Investigations Report (DBIR), 68% of breaches involved no malware at all, instead relying on:

• Stolen credentials (used in 86% of attacks)
• Legitimate tools (e.g., PowerShell, PsExec)
• Misconfigurations (e.g., unsecured admin accounts)

Why attackers prefer non-malware: ✅ Lower detection rates (no signatures to flag) ✅ Faster execution (no need to develop custom malware) ✅ Harder to attribute (no malware samples to analyze)

2. Evasion of Traditional Security Tools

Most organizations still rely on signature-based detection, which is useless against LotL attacks. Even next-gen EDR solutions struggle because:

• Behavioral analysis often misses legitimate tools used maliciously.
• False positives from admin activity lead to alert fatigue.
• Log tampering (e.g., WMI disabling logs) prevents detection.

Expert warning: "We’ve entered an era where the most dangerous attacks don’t use malware at all. If your security strategy is still focused on blocking .exe files, you’re already behind." — Kevin Mandia, CEO of Mandiant (source: Mandiant M-Trends 2025).

3. Real-World Consequences

The Stryker attack had immediate and long-term impacts:

• Financial losses: One affected hospital reported $4.2 million in downtime costs, including canceled surgeries and overtime pay for IT staff.
• Regulatory fines: Under GDPR, organizations could face fines of up to 4% of global revenue for failing to protect data, even if no data was stolen.
• Reputational damage: Patients and customers lost trust in healthcare providers that couldn’t secure their systems.
• Supply chain risks: The attack disrupted medical device manufacturers, leading to shortages of critical equipment.

Case study: The 2020 Twitter hack used a similar LotL approach, where attackers socially engineered employees to gain access to internal tools. While Twitter’s breach was less destructive, it showed how legitimate tools can be weaponized at scale.

---

How to Protect Against Non-Malware Wiping Attacks

Photo by Nikita Belokhonov on Unsplash

The Stryker attack proves that security must adapt. Here’s how organizations can defend against no-malware threats:

1. Strengthen Identity and Access Management (IAM)

Problem: Overprivileged admin accounts are the #1 attack vector in LotL attacks. Solution:

• Enforce least-privilege access: Limit admin rights to only what’s necessary.
• Implement MFA everywhere: Especially for VPN, RDP, and admin portals. Microsoft reports that MFA blocks 99.9% of automated attacks.
• Monitor for unusual credential usage: Use User and Entity Behavior Analytics (UEBA) to detect:
  • Logins from unusual locations (e.g., a US-based admin logging in from Russia).
  • Off-hours access (e.g., 3 AM logins).
  • Mass credential usage (e.g., one account accessing 100+ devices in 5 minutes).

Actionable step: Audit Active Directory for stale admin accounts and unnecessary privileges using tools like:

• BloodHound (for AD attack path analysis)
• PingCastle (for AD security assessments)

2. Enhance Monitoring and Detection

Problem: Traditional SIEMs and EDRs miss LotL attacks because they don’t flag legitimate tools. Solution:

• Deploy behavioral analytics: Use UEBA solutions (e.g., Microsoft Defender for Identity, Darktrace) to detect:
  • Unusual PowerShell usage (e.g., diskpart commands).
  • Mass WMI executions.
  • PsExec used at scale.
• Create custom detection rules: Use Sigma rules (open-source detection rules) to flag suspicious activity. Example:

  title: Suspicious Diskpart Clean Command
  description: Detects the use of diskpart clean, which can wipe disks.
  references:
      - https://attack.mitre.org/techniques/T1485/
  author: GhostShield VPN Security Team
  logsource:
      category: process_creation
      product: windows
  detection:
      selection:
          Image|endswith: '\diskpart.exe'
          CommandLine|contains: 'clean'
      condition: selection
  falsepositives:
      - Legitimate administrative tasks
  level: high
  

• Enable PowerShell logging: Configure Script Block Logging and Module Logging to capture all PowerShell activity. Microsoft’s guide explains how.

Actionable step: Test your detection capabilities with adversary emulation tools like:

• Atomic Red Team (for testing LotL techniques)
• Caldera (for automated adversary simulation)

3. Network Segmentation and Hardening

Problem: Attackers move laterally with ease because networks are flat and unsegmented. Solution:

• Segment critical systems: Use micro-segmentation to isolate:
  • Admin workstations (no direct access to production servers).
  • Backup systems (air-gapped and immutable).
  • IoT/OT devices (separate VLANs with strict access controls).
• Disable unnecessary tools: Restrict or disable:
  • PsExec (replace with PowerShell Remoting with strict controls).
  • WMI (limit to specific admin accounts).
  • RDP (use Jump Servers or Zero Trust Network Access (ZTNA) instead).
• Audit Group Policy Objects (GPOs): Attackers often modify GPOs to deploy malicious scripts. Use:
  • GPMC (Group Policy Management Console) to review GPOs.
  • AGPM (Advanced Group Policy Management) for change tracking.

Actionable step: Conduct a network segmentation audit using:

• Nmap (to map network topology)
• PingCastle (for AD segmentation checks)

4. Incident Response Planning

Problem: Most IR plans don’t account for no-malware attacks. Solution:

• Develop a LotL-specific playbook: Include:
  • Containment steps (e.g., revoking admin credentials, isolating segments).
  • Forensic analysis (e.g., checking PowerShell logs, WMI activity).
  • Recovery procedures (e.g., restoring from air-gapped backups).
• Conduct tabletop exercises: Simulate a Stryker-like attack to test:
  • Detection speed (how long until the attack is noticed?).
  • Response coordination (who declares an incident?).
  • Communication plans (how to notify stakeholders?).
• Ensure backup resilience: Follow the 3-2-1 rule:
  • 3 copies of data (primary + 2 backups).
  • 2 different media (e.g., disk + tape).
  • 1 offsite/air-gapped backup (to prevent ransomware/wipers from reaching it).

Actionable step: Use MITRE ATT&CK’s Incident Response Playbook as a template for your own plan.

---

Key Takeaways: Lessons from the Stryker Attack

The Stryker attack was a wake-up call for cybersecurity. Here’s what organizations and individuals must learn:

✅ Malware is no longer the primary threat – 68% of breaches in 2025 involved no malware (Verizon DBIR). Defenses must adapt to non-malware attacks. ✅ Admin tools are the new attack surface – PowerShell, WMI, and PsExec are legitimate but dangerous if misused. Monitor and restrict them. ✅ Identity is the new perimeter – Stolen credentials were the #1 attack vector in the Stryker breach. Enforce MFA and least-privilege access. ✅ Behavioral detection is critical – Signature-based AV and EDR miss LotL attacks. Deploy UEBA and custom detection rules. ✅ Network segmentation limits damage – Flat networks allow lateral movement. Isolate critical systems to contain breaches. ✅ Backups must be air-gapped – If backups are on the network, they can be wiped too. Follow the 3-2-1 rule. ✅ Incident response must evolve – Most IR plans don’t account for no-malware attacks. Develop a LotL-specific playbook.

For Individuals: How to Stay Safe

While the Stryker attack targeted organizations, individuals can also fall victim to LotL attacks. Here’s how to protect yourself:

• Enable MFA everywhere – Especially for email, banking, and social media.
• Use a password manager – Stolen credentials are the #1 attack vector. 1Password, Bitwarden, or KeePass can help.
• Monitor for unusual activity – Check login attempts in your email and social media accounts.
• Use a VPN on public Wi-Fi – GhostShield VPN encrypts your traffic, preventing credential theft on unsecured networks.
• Backup your data – Use cloud backups (e.g., Backblaze) + external drives to protect against device-wiping attacks.

---

Final Thoughts: The Future of Cyber Threats

The Stryker attack wasn’t an anomaly—it was a preview of the future. As defenders improve at detecting malware, attackers will increasingly rely on legitimate tools to evade detection. The good news? This shift is detectable