Lee Sult, Chief Investigator at Binalyze said: “The Stryker attack looks to be the first drop of blood in the water as a result of nation-state and hacktivist activity off the back of the Iran conflict. This attack confirms Western organisations are not only in the adversary’s crosshairs, but the adversary can also make the shot. More shots are coming.

“An attack like this is about damage and spreading chaos. Handala is using a scorched earth approach; they get in fast, wipe devices, steal data, and leave chaos behind them. Thousands of employees locked out of devices isn’t just an operational crisis. It quickly becomes a financial, reputational, and potentially life-and-property risk.

“Speed is everything when attacks like this happen. Investigation can’t be an afterthought, organisations need to know if the attackers are still inside systems, which systems are impacted, and how the attackers got in. The faster those questions are answered, the faster you can begin recovery.

“Stryker could be the first in a wave of attacks. Cyber assets friendly to the Iranian regime have regrouped and are actively circling their next target sets. Organisations need to be monitoring for IOCs linked to Iran-backed campaigns – including those seen in Operation Olalampo and APT35.

“But it’s also about reinforcing the basics: software needs to be patched, phishing-resistant MFA enabled, and having a clear plan to isolate devices and systems when suspicious activity arises. In firefighting terms, it’s time to cancel vacations and pre-stage your fire companies near critical assets.”