Ransomware, AI & Nation-State Attacks: The Top Cyberthreats to GovCon and How to Address Them

• Ransomware, AI-enabled cyber campaigns and nation-state cyber actors are targeting critical infrastructure organizations and the defense industrial base

• Several organizations, including federal agencies, have provided guidance on how to address cyberthreats 
• Government leaders, including CISOs Michael Duffy and Aaron Bishop, spoke about how AI and zero trust are strengthening federal cybersecurity

The cyber domain has become a battlefield, where hackers use various tools and techniques to evade security measures in place to protect critical systems and data. For the government contracting industry, cyberthreat is heightened as organizations contend with hackers that are not just looking for quick cash, but to sow discord, steal sensitive government information and undermine national security interests. 

From ransomware attacks targeting critical infrastructure and the defense industrial base to AI-enabled phishing schemes and nation-state cyber campaigns, understand the three most pressing cyberthreats to GovCon.

Cybersecurity leaders from government and GovCon will convene at the Potomac Officers Club’s 2026 Cyber Summit this Thursday to identify the challenges and potential solutions to the challenges threatening the security of federal systems and data. The event offers keynotes and panel discussions featuring some of the top figures shaping federal cybersecurity, and plenty of opportunities for networking. Purchase your tickets here!

What Are the Top Cyberthreats Facing GovCon?

1. Ransomware

Ransomware is a type of malware that locks or encrypts a victim’s files, systems or networks and demands payment to restore access. The FBI warned that, in most cases, victims may not realize their systems have been compromised until they lose access to data or receive ransom demands.

Ransomware poses a threat to all sectors, including critical infrastructure and the defense industrial base. 

Critical Infrastructure

According to a report published in April, the FBI Internet Crime Complaint Center, also known as IC3, received over 3,600 complaints of ransomware targeting critical infrastructure organizations in 2025. Of the nation’s 16 critical infrastructure sectors, healthcare and public health reported the highest number of ransomware attacks to the FBI, followed by critical manufacturing, financial services, government facilities and information technology. 

The FBI also identified the top 10 reported ransomware variants utilized by cyber groups to attack critical sectors: 

• Akira
• Qilin
• Lynx
• BianLian
• Play
• Ransomhub
• Lockbit
• Dragonforce
• SAFEPAY
• Medusa

Together, the 10 variants reportedly accounted for 56.8 percent of all ransomware cases in 2025, resulting in over $16 million in losses.

Defense Industrial Base

Ransomware groups continue to target the defense industrial base, and attacks are accelerating, based on a new report from the Department of War’s Cyber Crime Center.

The DC3, which oversees the Defense Industrial Base Collaborative Information Sharing Environment, or DCISE, shared that it received 56 percent more ransomware-related reports in the third quarter of 2025 than in Q2. Akira, Lynx, Play and Qilin were also identified as some of the ransomware variants used during the period. 

In one incident in 2025, a ransomware group called Interlock exfiltrated 4.2 terabytes of data from the National Defense Corp. and its subsidiary AMTEC, a manufacturer of ammunition, explosives and cartridges for the U.S. Army. 

The Interlock cybersecurity attack uncovered details about the supply chains of top defense contractors and the distribution of explosives and ammunition, information that nation-state adversaries could use to disrupt military operations or gain a strategic advantage during conflict, warned cybersecurity company Resecurity.

How to Mitigate Ransomware Incidents

CISA has outlined some actions that organizations can take to prevent ransomware attacks:

• Regularly back up essential systems and data: Ransomware groups encrypt systems and data to extort money from victims, making backups essential for recovery following an attack.  
• Store backups on separate devices: Organizations must store backups on a separate device, such as an external hard drive, that can be disconnected from a network or computer to ensure that, in the event of an attack, they remain out of reach of cybercriminals.
• Train employees to follow cyber hygiene practices: All personnel must undergo cybersecurity awareness training to ensure that everyone is informed about the techniques that malicious cyberactors use to infiltrate sensitive systems and data. 
• Update software: Hackers exploit vulnerabilities in code, so make sure that applications and operating systems are updated with the latest patches.
• Install protective programs: Antivirus software, firewalls and email filters can block malicious network traffic.

The security agency also provides additional resources on StopRansomware.gov to help organizations protect their systems and data from ransomware groups.

1. AI-Enabled Phishing and Influence Operations

AI has lowered the barrier to entry for cyber criminals. With generative AI tools readily available to anyone, even a novice cyber actor can launch highly effective cyberattacks without the typical indicators of online scams. 

How AI Is Used for Cyber Crimes

• Business email compromise – Cybercrime groups are using AI to create emails or synthetically generated audio to mimic important figures within an organization. According to the FBI IC3, over $30 million in losses were reported in 2025 due to AI-enabled BEC scams.
• Social engineering – Hackers are also adopting AI to craft user personas and highly personalized messages, eliminate the usual signs of fraud, change tactics in real time, and deliver a more sophisticated cyber campaign to infiltrate U.S. organizations. Guidehouse has warned that nation-state actors have utilized AI to create fake identities and apply as remote workers to gain access to American systems.
• Autonomous reconnaissance and targeting – Cyber actors are utilizing AI to automate the process of identifying targets, searching for vulnerabilities, and generating and executing exploit code.

Cyberthreats to AI

AI systems can be vulnerable to cyberattacks, too. Malicious cyber actors create input that can override an AI system’s instructions and manipulate model behavior, Guidehouse said. Cyberthreat groups can also poison training data to build backdoors or corrode the integrity and performance of the model. 

How to Address AI-Enabled Cyber Risks

According to Ben Shipley, strategic threat analyst at IBM X-Force Threat Intelligence, while AI has assisted hackers with carrying out attacks, the technology has not fundamentally changed how defenders respond to attacks. 

“Malware written by AI or by a human is still going to behave like malware,” noted Shipley. “Ransomware written by AI does not have any more significant of an impact on a victim than ransomware written by a human.” 

To address AI-enabled attacks, organizations must still follow cybersecurity practices, such as adopting strong identity and access controls, including multifactor authentication, and timely patch deployment. 

IBM also recommended the use of threat intelligence programs for teams to stay informed about emerging threats and a combination of threat detection tools to mitigate attacks, whether hackers are using AI or not.

The role of AI in cybersecurity is a key topic at the 2026 Cyber Summit this Thursday. No less than two panels, featuring speakers from industry and government, will delve deep into the uses of AI to aid in defending critical systems and data from various cyberthreats. Get your tickets here before they run out!

1. Nation-State Cyber Campaign

The defense industrial base is an attractive target to nation-state actors seeking to steal intellectual property or classified data to disrupt military operations or gain an advantage on the battlefield. 

In March, a large-scale phishing campaign targeting defense, aerospace and IT companies that provide critical capabilities to Ukraine was uncovered by DomainTools Investigations, a cyber company tracking website infrastructure, NextGov/FCW reported. Between late December and early March, DomainTools identified 878 spoofed domains that slightly modified the target contractors’ official websites. A U.S.-based technology firm and defense and aerospace firms in the United Kingdom, France, Italy, Turkey, South Korea and Ukraine were among the targets of the scam. 

China

China-linked cyberthreat actors remain the most active threat entities targeting the DIB, according to an analysis by Google Threat Intelligence Group. The hackers aligned with Beijing use an array of tactics, but exploitation of edge devices and appliances to get initial access emerged as the common method for many operations. Chinese espionage entities also use operational relay box networks, a network of compromised devices, to carry out reconnaissance activities. 

CISA has also issued a cybersecurity advisory on China-nexus networks of compromised devices that threaten critical infrastructure. The agency warned that hackers are taking advantage of devices with weak security to spy on or break into an organization to control systems or steal data. 

Iran

Pro-Iran hacktivist activities targeting the defense sector also increased since 2023, according to Google Threat Intelligence Group. Their operations have also evolved from nuisance attacks to more sophisticated hack-and-leak campaigns, supply chain compromise and psychological warfare against the U.S. military. 

Russia & North Korea

Russia-linked hacktivists, Google Threat Intelligence Group revealed, are carrying out campaigns to advance Russia’s interests in its war against Ukraine. Aside from Ukrainian entities, these cyber actors are also targeting the militaries and the defense sectors of Western countries. 

On the other hand, North Korea’s cyber espionage groups specifically go after employees within defense organizations. In several campaigns that Google Threat Intelligence Group identified, North Korean threat actors created employment-themed content and impersonated corporate recruiters to harvest information that can be used for phishing attacks. 

Small Businesses Vulnerable to Nation-State-Backed Cyberthreats

While bigger defense contractors have the resources to combat cyberattacks, small- to medium-sized businesses — which make up 80 percent of DIB — are ill-equipped to face highly sophisticated, nation-state-backed cyber activities. 

“The DIB is no longer a handful of traditional defense contractors, but it now includes a lot of companies from nascent and emerging industries,” Bailey Bickley, chief of defense industrial base defense at the National Security Agency’s Cybersecurity Collaboration Center, told NextGov/FCW. 

NSA and penetration testing provider Horizon3, under the Continuous Autonomous Penetration Testing program, provided automated testing tools to about 200 DIB and found over 50,000 vulnerabilities. According to Bickley, over 70 percent of the vulnerabilities identified were mitigated.

How to Mitigate Nation-State Threats

CISA has provided a couple of steps that organizations can follow to mitigate cyber incidents linked to nation-state threat actors:

• Maintain a catalog of mission-critical systems and understand how they connect to third-party providers, technologies and supply chain partners.
• Identify a baseline for normal host behavior and user activity to help security teams spot unusual behavior through log analysis.
• Quickly patch known exploited vulnerabilities.
• Apply the principle of least privilege by limiting administrator actions and access locations to a manageable baseline.
• Report cyber incidents and suspicious cyber activity to CISA to support coordinated national defense and threat response efforts.

What Does the Government Need to Strengthen Cybersecurity?

With the increasing cyberthreat to government and GovCon, federal leaders are exploring ways to secure critical systems against attacks. 

AI

AI is helping cyberthreat actors escalate attacks, but federal officials are also looking to the technology to strengthen defense against cyber risks. 

Michael Duffy, acting federal chief information security officer within the Office of Management and Budget, shared in September that his office is evaluating AI strengths and limitations and exploring cyber use cases for AI within agencies, CyberScoop reported. 

“We’re working with CISOs to rationalize their cybersecurity tool stack to ensure individual agencies are well-postured for the evolving threat environment, while identifying opportunities to eliminate redundant and ineffective systems and capabilities to leverage enterprise-wide capabilities and programs — shared services to gain efficiencies and scale, successful AI pilots occurring within agencies,” the government’s top cybersecurity leader stated. 

Hear about Duffy’s vision for cybersecurity in government this Thursday at the Potomac Officers Club’s 2026 Cyber Summit, where he will deliver a keynote address. Register here!

At the Centers for Medicare and Medicaid Services, AI is being integrated into security operations, revealed Keith Busby, the agency’s CISO, at an event in April that GovCIO Media & Research covered. 

Busby explained that AI can improve how the agency evaluates and acts on data and automate reporting and planning, reducing personnel workloads. 

Benjamin Koshy, chief CISO at the Indian Health Service, also told Federal News Network that the agency wants AI to deliver advanced cyber capabilities to its dispersed networks. The official said the technology can flag anomalous behavior. IHS oversees healthcare facilities across 37 states.

“I think that’s the way that we’re going to have to move forward, by baselining what your normal is, and then if there’s deviations from that normal, putting in the effort, getting human eyes on things as well as your AI to really understand, okay, is this going to be my new normal, or is this a targeted attack that I have to look into?” Koshy stated. 

Zero Trust

Alongside AI implementation, the federal government is also prioritizing zero trust to build resilience against cyberattacks. 

At an event in December, Aaron Bishop, former Air Force CISO and current acting CISO of the Pentagon, explained that zero trust builds “resilience at a micro-component level,” Breaking Defense reported. 

Bishop will also deliver a keynote at the 2026 Cyber Summit, where he is expected to discuss operational resilience and next-generation threats federal agencies are facing. The event, happening this Thursday, will also have a panel on resilience through zero trust featuring speakers from Air Force Research Laboratory, Defense Information Systems Agency, U.S. Cyber Command and the Department of the Navy. Sign up here to secure your seat.

Jennifer Franks, IT and cybersecurity director at the Government Accountability Office, added during an event in March that zero trust segmentation also contributes to resilience by allowing agencies to isolate affected systems and respond to cyber incidents without stopping operations. 

“When you have vulnerabilities to impact your environment, you can segment that off and, you know, provide those network mitigation surfaces, but not necessarily shut down and impact all of your business processes,” she commented via GovCIO Media & Research.

Collaboration/Cooperation

More than just deploying technology to secure government systems and data from evolving cyberthreats, federal officials are calling for increased collaboration across private and public sectors. 

Duffy has been vocal about the need for information sharing to improve cybersecurity. At a September event, he identified an enterprise approach to cyber defense as one of his priorities as federal CISO. He shared that leaders, when thinking about vulnerability management, supply chain security or incident response, must consider not just the needs of their own agency but the whole enterprise. 

“Adversaries don’t see agency lines,” he stated via FedScoop. “This is why that enterprise approach is so important, because those gaps, those gray zones, between agencies, are exactly what adversaries are looking to take advantage of, and we’ve seen that happen.”

The official also urged the cybersecurity community in another event in August to share solutions to cyber problems with the rest of the ecosystem to rapidly scale adoption. NextGov/FCW reported that Duffy explained that people are waiting for someone to tell them how to address cybersecurity challenges, but “all of us have a little piece of that puzzle.”

Communication, he added, is crucial for policy development and implementation.

Doug Cossa, chief information officer for the intelligence community and adviser to the director of national intelligence, also called for enterprise licensing for common cybersecurity capabilities to eliminate duplicate services and enhance efficiency across agencies, GovCIO Media & Research reported.

Do not miss this rare opportunity to hear from Duffy, Bishop and CISOs from the Department of Education and Centers for Medicare and Medicaid Services at the 2026 Cyber Summit this Thursday. The event will cover all aspects of cybersecurity in government, including zero trust, advanced persistent threats, quantum computing and post-quantum cryptography, and a lot more! Secure your tickets today!