Defending Medical Devices: Mitigating Wiper Malware Attacks Like the Stryker Incident

Introduction

Recently, medical device giant Stryker confirmed that it successfully contained a cyberattack attributed to an Iran-linked threat group. The incident, which occurred on March 11, involved the discovery and neutralization of a hidden malicious file designed to execute device-wiping commands. While Stryker reported no evidence of a breach into healthcare customers' networks, the event forced some procedural delays. For defenders, this incident is a critical reminder that the healthcare supply chain remains a prime target for destructive attacks aimed at disrupting operational continuity and patient care.

Technical Analysis

The Stryker incident highlights a shift from traditional data extortion (ransomware) to pure operational disruption via "wiper" malware. The technical core of this attack was the deployment of a hidden malicious file, likely delivered through phishing or credential harvesting, which possessed the privileges to issue wiping commands against connected medical devices or servers.

• Attack Vector: Initial access likely involved compromised credentials or social engineering, leading to the deployment of a payload on internal systems.
• Mechanism: The threat actors utilized a malicious file to execute commands designed to delete data or render devices inoperable (wiping). This differs from encryption-based ransomware as the intent is purely destructive; recovery is often impossible without clean backups or reimaging.
• Affected Systems: While Stryker stated customer networks were not breached, the internal systems managing device logistics and potentially medical device support infrastructure were impacted.
• Severity: High. Attacks involving IoMT (Internet of Medical Things) or medical device manufacturers carry high risk because system availability directly correlates to patient health outcomes.

Defensive Monitoring

To detect similar threats involving hidden malicious files or wiper behavior, security teams should monitor for mass file deletions, unusual process executions related to disk management, and the creation of suspicious files in non-standard directories. Below are queries for Microsoft Sentinel and PowerShell to aid in detection.

KQL Queries (Microsoft Sentinel / Defender)

Detect Mass File Deletion or Wiping Activity: This query looks for a high volume of file deletion events within a short timeframe, a common indicator of wiper malware activity.

DeviceFileEvents
| where ActionType in ("FileDeleted", "FileDeletedFailed")
| summarize DeletedCount = count() by DeviceName, bin(Timestamp, 5m)
| where DeletedCount > 50
| project DeviceName, Timestamp, DeletedCount
| extend AlertMessage = "High volume of file deletions detected indicative of potential wiper activity."


**Detect Suspicious Process Execution for Disk Wiping:**

This query identifies processes often abused for destructive purposes, such as cipher, sdelete, or vssadmin, interacting with shadow copies or disks.

DeviceProcessEvents
| where ProcessCommandLine has_any ("/w", "/c", "delete", "shadow", "wipe")
| where FileName in~ ("cipher.exe", "sdelete.exe", "vssadmin.exe", "wmic.exe", "diskpart.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend AlertMessage = "Execution of process commonly used for data wiping detected."

PowerShell Script

Audit for Hidden Executables in User Directories: Defenders can run this script on endpoints to scan for hidden executable files that may have been dropped by threat actors to maintain persistence or execute wiping commands.

# Script to detect hidden .exe files in common user directories
$paths = @("C:\Users\*\AppData\Roaming", "C:\Users\*\AppData\Local", "C:\ProgramData")
$hiddenExecutables = Get-ChildItem -Path $paths -Filter *.exe -Recurse -Force -ErrorAction SilentlyContinue | 
    Where-Object { $_.Attributes -match 'Hidden' -and $_.CreationTime -gt (Get-Date).AddDays(-7) }

if ($hiddenExecutables) {
    Write-Host "[WARNING] Suspicious hidden executables found:" -ForegroundColor Red
    $hiddenExecutables | Select-Object FullName, CreationTime, LastWriteTime | Format-Table -AutoSize
} else {
    Write-Host "[INFO] No recent hidden executables found in monitored paths." -ForegroundColor Green
}

Remediation

To protect against destructive attacks and supply chain compromises similar to the Stryker incident, organizations should implement the following remediation and hardening steps:

1. Network Segmentation (Zero Trust): Ensure that medical devices and IoT infrastructure are on isolated VLANs. Strictly control lateral movement from IT networks to OT/IoMT networks.

2. Disable Unused Protocols: On medical devices and supporting servers, disable SMBv1 and other legacy protocols often used to propagate malware or execute destructive commands.

3. Application Allowlisting: Enforce strict allowlisting (e.g., AppLocker) on systems managing medical devices to prevent the execution of unauthorized hidden files like the one used in the Stryker attack.

4. Implement Immutable Backups: Ensure that critical configurations and data supporting medical devices are backed up using immutable (write-once, read-many) storage solutions to facilitate recovery from a wiper attack.

5. Review User Privileges: Conduct an audit of local administrator rights on workstations that interact with medical device management systems to reduce the attack surface for file deployment.

6. Supply Chain Risk Management: Require vendors to attest to their security posture and incident response capabilities. Monitor vendor advisories for updates regarding breaches that may affect your supply chain.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub