Back to Intelligence

Defending Against Nation-State Wiper Attacks: Lessons from the Stryker Incident

SA
Security Arsenal Team
March 29, 2026
5 min read

Introduction

The recent announcement regarding an Iran-backed hacktivist group claiming responsibility for a destructive wiper attack against Stryker, a leading global medical technology firm, serves as a stark warning for the healthcare sector. Unlike traditional ransomware, which seeks financial extortion through encryption, wiper malware is designed purely for destruction—rendering data permanently unrecoverable and disrupting critical operations.

For defenders, this shift is significant. The motivation has moved from profit to geopolitical disruption. When a medical technology provider is targeted, the impact extends beyond corporate downtime to potential delays in patient care. This post analyzes the technical mechanics of such attacks and provides actionable detection and remediation strategies to secure your organization against destructive threats.

Technical Analysis

Wiper attacks typically involve the malicious corruption of the Master File Table (MFT) or the disk's boot sector, making the file system unreadable. In many cases observed in nation-state aligned attacks, threat actors first compromise the network via standard vectors like phishing, exploiting vulnerabilities on public-facing assets, or utilizing valid credentials.

Once inside the network, the actors perform lateral movement to identify high-value targets. Prior to execution, they often disable security solutions and delete backups to prevent recovery. A common precursor to wiper activity is the deletion of Volume Shadow Copies using native Windows utilities like vssadmin.exe or wmic.exe.

Affected Systems: Windows endpoints and servers. Severity: Critical. Key Indicators: Sudden deletion of shadow copies, unusual process termination, massive file corruption events, and service failures in backup agents.

Defensive Monitoring

To defend against wiper malware, security teams must detect the precursors to data destruction—specifically the deletion of recovery points and direct disk access.

SIGMA Rules

Detect the deletion of Volume Shadow Copies, a critical step attackers take to ensure data cannot be recovered.

YAML
---
title: Deletion of Volume Shadow Copies
id: 8e8b5c2a-1d3f-4a5e-9b7c-1d2e3f4a5b6c
status: stable
description: Detects attempts to delete Volume Shadow Copies using vssadmin or wmic, often a precursor to wiper or ransomware attacks.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026-03-24
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wmic.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'shadowcopy delete'
  condition: selection
falsepositives:
  - System administrators performing backup maintenance (rare)
level: high

Detect processes attempting to access physical drives directly, a common technique for wiper malware to bypass the file system.

YAML
---
title: Direct Physical Disk Access via Handle
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects processes opening handles to physical drives, which may indicate wiper activity or raw disk access.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026-03-24
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains: '\?\PhysicalDrive'
  condition: selection
falsepositives:
  - Disk cloning software (e.g., Acronis, Ghost)
  - Disk management tools
level: critical

KQL (Microsoft Sentinel)

Use these queries in Microsoft Sentinel to hunt for signs of shadow copy deletion or suspicious disk activity.

KQL — Microsoft Sentinel / Defender
// Hunt for deletion of Volume Shadow Copies
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('vssadmin.exe', 'wmic.exe')
| where ProcessCommandLine contains 'delete' and (ProcessCommandLine contains 'shadow' or ProcessCommandLine contains 'shadowstorage')
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by Timestamp desc


// Hunt for suspicious service stops related to backup agents
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ('net.exe', 'net1.exe', 'sc.exe', 'powershell.exe')
| where ProcessCommandLine contains 'stop' and (ProcessCommandLine contains 'VSS' or ProcessCommandLine contains 'SQL' or ProcessCommandLine contains 'Backup')
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

Velociraptor VQL

Hunt for unsigned drivers, which are often used by wiper malware to gain kernel-level access for destructive file system operations.

VQL — Velociraptor
-- Hunt for recently modified unsigned drivers in System32
SELECT FileName, Size, ModTime, 
   parse_stringWithRegex(data=Sig.SignerName, regex='(?P<Name>.*)') AS Signer
FROM glob(globs='C:\Windows\System32\drivers\*.sys')
WHERE ModTime > now() - 7d 
  AND Sig.SignerName !~ 'Microsoft'

Investigate scheduled tasks created recently that might serve as a persistence mechanism for the wiper payload.

VQL — Velociraptor
-- Hunt for suspicious scheduled tasks created in the last 24 hours
SELECT TaskName, Action, Trigger, Author, Date
FROM scheduler_tasks(scheduler='System')
WHERE Date > now() - 24h
  AND Author != 'N/A'

PowerShell Remediation

Use this script to verify the health of Volume Shadow Copy Service (VSS) writers and identify any errors that might indicate malicious interference.

PowerShell
# Check VSS Writer Status
$vssWriters = vssadmin list writers
$suspectWriters = @()

foreach ($line in $vssWriters) {
    if ($line -match "Writer name:") {
        $writerName = $line.Split("'")[1]
    }
    if ($line -match "State:") {
        $state = $line.Split(":")[1].Trim()
        if ($state -ne "[1] Stable") {
            $suspectWriters += [PSCustomObject]@{
                Writer = $writerName
                State  = $state
            }
        }
    }
}

if ($suspectWriters.Count -gt 0) {
    Write-Warning "Potential VSS issues detected. Investigate immediately:"
    $suspectWriters | Format-Table -AutoSize
} else {
    Write-Host "All VSS Writers are in a Stable state." -ForegroundColor Green
}

Remediation

If you suspect a wiper attack is in progress:

  1. Immediate Isolation: Disconnect affected systems from the network immediately to prevent lateral movement. Do not reboot systems yet, as volatile memory may contain decryption keys or evidence.
  2. Preserve Evidence: Acquire forensic images of memory and disk if possible, focusing on the C:\Windows\System32\winevt\Logs and MFT zones.
  3. Verify Backups: Ensure your offline backups are intact and have not been deleted or corrupted. Test a restoration to a segregated environment.
  4. Credential Reset: Assume all credentials on the network are compromised. Force a password reset for all accounts, especially privileged ones, and revoke session tokens.
  5. Review Access Logs: Audit VPN and RDP logs for unusual access patterns in the 48 hours prior to the incident.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwarewiper-malwarehealthcare-securityincident-responsethreat-huntingsigma

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action