The National Defense Corporation (NDC) has confirmed a ransomware attack targeting its subsidiary AMTEC, a major manufacturer of military and law enforcement ammunition. The company disclosed the breach but refused to pay the ransom, joining a growing trend of organizations resisting extortion demands. The incident highlights persistent threats to defense contractors and critical infrastructure.
Attack Overview and Impact
The InterLock ransomware group exfiltrated 4,200 GB of data from AMTEC, a subsidiary specializing in 40mm grenade ammunition and explosives manufacturing. NDC’s public refusal to pay aligns with 2024 trends showing a 35% drop in ransom payments due to improved incident response plans and distrust of attackers’ promises1. The breach follows high-profile attacks on Boeing and Change Healthcare, where the latter paid a $22M ransom only to fall victim to an exit scam2.
AMTEC’s operations include precision assembly and explosive loading, making the stolen data potentially sensitive. While NDC hasn’t detailed the exact data compromised, defense contractors typically hold technical specifications, procurement details, and personnel records. The company’s statement emphasized no operational disruptions, suggesting isolated IT system compromise rather than industrial control system (ICS) interference.
Technical and Policy Context
The attack reflects broader 2024-2025 ransomware trends:
- Critical infrastructure focus: 15% increase in attacks targeting defense, healthcare, and utilities
- Declining payments: Only 61% of victims recover data post-payment, per Chainalysis data3
- Policy shifts: New SEC rules mandate 72-hour breach disclosures for public companies
NDC’s response mirrors Boeing’s 2024 stance against LockBit’s $200M demand. Unlike Change Healthcare—which faced SEC scrutiny for delayed disclosure—NDC’s prompt announcement may mitigate regulatory fallout. The DoJ’s recent indictment of LockBit administrator Dmitry Khoroshev shows escalating law enforcement pressure4.
Security Recommendations
For organizations handling sensitive defense data:
- Segment networks to isolate ICS and manufacturing systems from corporate IT
- Implement multi-factor authentication (MFA) on all remote access portals
- Maintain offline backups with regular restoration testing
- Monitor dark web markets for stolen data using tools like DarkOwl or Recorded Future
The AMTEC breach underscores why defense contractors remain prime targets: they possess valuable intellectual property and operate under public scrutiny that may pressure them to pay ransoms. NDC’s refusal sets a precedent, but the long-term impact depends on whether stolen data surfaces in illicit markets.
Conclusion
NDC’s ransomware incident highlights the evolving balance between cyber resilience and extortion economics. While policy changes and law enforcement actions have reduced payment rates, attackers continue adapting—particularly through Ransomware-as-a-Service models lowering entry barriers. Defense sector organizations should prioritize threat intelligence sharing and assume breach postures given the sector’s attractiveness to both criminal and state-sponsored groups.
References
- “Ransomware Payments Drop 35% in 2024 Amid Takedowns and Victim Distrust,” Chainalysis, 2025.
- “Change Healthcare Attack: $22M Ransom Paid in ALPHV Exit Scam,” HIPAA Journal, 2024.
- “National Defense Corporation AMTEC Breach: 4,200 GB Stolen by InterLock,” DataBreaches.Net, 2025.
- “DOJ Indicts LockBit Administrator, Imposes Sanctions,” U.S. Department of Justice, 2024.
