What is the difference between ransomware and a wiper attack?

Ransomware encrypts your data and demands payment for a decryption key — the attacker wants you to survive long enough to pay. A wiper attack permanently destroys data with no recovery mechanism and no ransom demand; the goal is pure disruption. This makes wiper attacks significantly harder to recover from because there is no negotiation window and no key to purchase.

Can backups protect you from a wiper attack?

Backups help, but they are not a complete defense against wiper attacks. If an attacker wipes hundreds of endpoints simultaneously, restoring from backup is a multi-day process that still results in significant downtime. Immutable, offline backups are the most resilient option, but they must be paired with endpoint detection, access controls, and network segmentation to be effective.

How do I know if my incident response plan covers wiper attacks?

Review your IR plan for scenarios that assume data is permanently gone — not just encrypted. If every recovery path in your plan starts with 'retrieve the decryption key' or 'restore from backup,' you likely have a gap. Tabletop exercises that simulate total endpoint destruction will reveal whether your team can restore operations under a true destruction scenario.

What security controls stop wiper attacks on small businesses?

The most effective controls are behavioral EDR (not just antivirus), privileged access restrictions on admin and MDM accounts, network segmentation to limit lateral movement, and immutable offline backups. Regular vulnerability scanning helps identify misconfigured permissions and exposed attack paths before an attacker can exploit them — Oscar Six Security's Radar scans for these gaps at $99/scan.

How much does a vulnerability scan cost for a small business?

Vulnerability scans for small businesses typically range from free basic tools with limited coverage to hundreds of dollars for professional assessments. Oscar Six Security's Radar offers professional-grade vulnerability scanning at $99/scan, designed specifically for small businesses, healthcare organizations, and government contractors who need actionable results without enterprise pricing. Learn more at oscarsixsecurityllc.com/#solutions.

Ransomware vs. Wiper Attacks: Know the Difference

On March 11, 2026, a global medical technology company sent thousands of employees home — not because of a weather emergency or a power outage, but because Iran-linked hackers had wiped their devices clean. According to Krebs on Security, the hacktivist group Handala claimed responsibility for a wiper attack on Stryker that targeted Intune-managed devices, displaced more than 5,000 workers in Ireland, and triggered a building emergency at U.S. headquarters.

No ransom note. No negotiation. No recovery key waiting on the other end of a Bitcoin payment.

Just gone.

If your organization has spent the last several years building a ransomware recovery plan — and most small businesses and healthcare organizations have — this attack should stop you cold. Because a wiper attack plays by completely different rules, and most incident response playbooks are not written for it.

What Is a Ransomware Attack?

Ransomware is a form of extortion. Attackers infiltrate your network, encrypt your files, and then demand payment in exchange for the decryption key. The attacker wants you to survive — at least long enough to pay.

This creates a perverse but exploitable dynamic: there is a negotiation window. Organizations with strong, tested backups can sometimes recover without paying. Cyber insurance policies are often structured around ransomware scenarios. Incident response firms have playbooks built specifically for this model.

Ransomware is destructive. It is also, in a dark way, transactional.

What Is a Wiper Attack?

A wiper attack has no transaction. The goal is not money — it is destruction. Attackers deploy malware designed to overwrite, corrupt, or permanently delete data. There is no key to purchase. There is no recovery path baked into the attack itself.

Wiper attacks are typically deployed by nation-state actors or politically motivated hacktivists. The Stryker attack, attributed to Handala — a group with alleged ties to Iran — is a textbook example. The target was a medtech company with ties to industries that carry geopolitical significance. The objective was disruption and damage, not a payout.

The Krebs on Security report on the Stryker incident illustrates exactly why this matters: Intune-managed devices — endpoints that organizations often assume are protected and recoverable through MDM tooling — were wiped at scale. Cloud management did not prevent the attack. It may have actually accelerated it.

Why Your Ransomware Plan Does Not Protect You Here

Most small business and healthcare incident response plans are built around a core assumption: data can be recovered if you have good backups. That assumption holds for ransomware. It does not hold for wiper attacks in the same way.

Here is why:

Speed of destruction. Wiper malware is designed to move fast. By the time detection triggers, the damage may already be done across dozens or hundreds of endpoints.

Backup gaps. Backups protect data. They do not restore operational continuity instantly. If 500 endpoints are wiped simultaneously, restoring from backup is a multi-day or multi-week effort — assuming your backups were not also targeted.

MDM and cloud management as attack surfaces. The Stryker attack used Intune-managed devices as the delivery mechanism. Tools designed to push software and manage endpoints at scale can, under the right conditions, push destruction at scale. As we covered in our breakdown of Microsoft 365 breach prevention for small businesses, cloud-managed environments require layered controls — not just trust in the platform.

No negotiation window. With ransomware, you often have hours or days to assess, contain, and decide. With a wiper, the clock runs out before you know it started.

The Controls That Actually Matter Against Wiper Attacks

Defending against wiper attacks requires a different mindset than ransomware recovery. Here are the controls that move the needle:

1. Endpoint Detection and Response (EDR) with Behavioral Analysis

Signature-based antivirus will not catch a novel wiper. EDR tools that monitor for behavioral anomalies — mass file deletion, rapid disk writes, unusual MDM command execution — can flag an attack in progress before it completes.

2. Privileged Access Controls

Wiper attacks often require elevated privileges to execute at scale. Limiting which accounts can push commands to managed devices, enforcing MFA on admin accounts, and segmenting administrative access dramatically reduces blast radius. Our post on preventing employee privilege escalation walks through the specific access control steps that apply here.

3. Network Segmentation

If an attacker cannot move laterally, they cannot wipe at scale. Segmenting your network so that a compromised endpoint cannot reach every other endpoint is one of the highest-leverage controls available to small businesses and healthcare organizations.

4. Immutable, Offline Backups

Cloud-connected backups can be targeted. Immutable backups — stored in a way that cannot be modified or deleted by a compromised account — are the only backup architecture that holds up against a sophisticated wiper campaign.

5. Tested Incident Response Plans That Include Destruction Scenarios

If your IR plan only covers "encrypt and negotiate," rewrite it. Run tabletop exercises that assume data is gone and ask: how do we restore operations in 24 hours? 72 hours? What is our communication plan for staff, patients, or customers?

Healthcare and Government Contractors: You Are a Named Target

It is not an accident that Stryker — a medtech company — was targeted. Healthcare and defense-adjacent organizations carry geopolitical weight. For organizations pursuing CMMC Level 1 compliance or operating under Ohio's SB 220 safe harbor framework, understanding your threat model is not optional — it is part of the compliance posture itself.

The controls required for CMMC Level 1 — access control, incident response, media protection — map directly onto wiper attack defense. If you have not reviewed those requirements recently, our CMMC Level 1 compliance guide for small businesses is a practical starting point.

The Blind Spot You Cannot Afford

Ransomware gets the headlines, the insurance products, and the recovery playbooks. Wiper attacks get the silence — right up until 5,000 employees are sent home with no timeline for return.

The Stryker incident is not a warning about a distant, theoretical threat. It is a documented event that happened to a well-resourced global company using the same cloud management tools that thousands of small businesses and healthcare organizations rely on every day.

The question is not whether your backups are good. The question is whether your defenses assume the attacker wants something from you — or whether you have planned for an attacker who simply wants to watch it burn.

Take Action

Wiper attacks expose gaps that most vulnerability assessments never look for — misconfigured MDM permissions, over-privileged admin accounts, unmonitored lateral movement paths. Proactive scanning catches these issues before an attacker does.

Oscar Six Security's Radar delivers affordable, continuous vulnerability scanning at $99/scan — built for small businesses, healthcare organizations, and government contractors who need real visibility without enterprise-level costs.

Focus Forward. We've Got Your Six.