Ransomware has become the most disruptive cyber threat pressing on the automotive industry, with Halcyon saying such attacks more than doubled in 2025 and made up 44% of all publicly reported cyber incidents across the sector. The finding points to a shift in criminal focus towards carmakers, suppliers and mobility platforms whose factories, dealer networks and software systems now depend on tightly linked digital infrastructure.
That change matters because the automotive business no longer rests only on assembly lines and showroom sales. Modern manufacturers run sprawling networks of cloud systems, connected production equipment, software-defined vehicles, telematics platforms, over-the-air update systems and third-party suppliers. Each link adds convenience and speed, but also expands the attack surface for criminals looking for operational choke points. Halcyon said the sector’s dependence on connected technology and outsourced service networks has made it an increasingly attractive target for extortion-driven groups. NHTSA has also stressed that vehicle and component security now stretches across the design, software and supply-chain lifecycle, not just the finished car.
The sharpest warning came from real-world disruption. Jaguar Land Rover’s cyber incident in September 2025 forced prolonged shutdowns across its British factories, disrupted sales and parts systems, and rippled through suppliers and workers well beyond the company’s own sites. Reuters reported that the stoppage affected 33,000 staff and later stretched to nearly four weeks, underlining how a single breach can turn into an industrial and economic problem rather than a narrow IT event. Even without confirmed customer-data compromise at the outset, the operational damage was severe enough to halt output and draw government attention to supply-chain fallout.
Broader industry data show the problem is not isolated. Upstream Security, which tracks automotive and smart mobility cyber incidents, said its 2026 report reviewed 494 publicly reported incidents from 2025 and found ransomware attacks on automotive and smart mobility more than doubled. The company highlighted backend servers and application programming interfaces as growing weak points as vehicles, apps, charging systems, fleet tools and cloud services become more interconnected. That suggests the main danger is no longer confined to hacking a vehicle directly; it increasingly lies in compromising the digital ecosystem around manufacturing, logistics, retail and after-sales services.
European threat data reinforce that picture. ENISA’s 2025 threat landscape said cybercrime incidents against the transport sector accounted for 8.4% of all incidents it tracked, with ransomware making up 83.9% of cybercrime incidents in that sector. The agency also identified well-known ransomware groups among the leading claimants targeting transport. While transport is broader than automotive alone, the numbers show how extortion attacks have become a dominant threat to mobility infrastructure across Europe.
For manufacturers, the commercial risk runs deeper than ransom demands. A successful attack can freeze production scheduling, parts ordering, invoicing, dealership systems and engineering workflows at the same time. In a just-in-time manufacturing model, delays at one supplier or one software platform can cascade through assembly plants, delivery commitments and service networks. Reuters’ reporting on the JLR disruption showed how cyber events can quickly affect employees, suppliers and national output, giving boards and investors a clearer measure of cyber risk as a business continuity issue rather than a back-office compliance matter.
Regulators have been pushing the industry in that direction. UNECE’s Regulation No. 155 requires vehicle makers in participating markets to maintain a cybersecurity management system as part of type approval, while related rules on software updating seek tighter control over how vehicles are patched and maintained. In parallel, NHTSA’s best-practice guidance says cybersecurity responsibilities extend across manufacturers, suppliers and software developers, reflecting the reality that a weak partner can expose the whole chain. These frameworks do not eliminate attacks, but they are pushing automotive groups to treat cyber resilience as a core engineering and governance requirement.
Security firms argue that defences now need to move faster than traditional perimeter protection. Halcyon and other industry researchers point to the need for stronger segmentation between IT and operational technology, tighter supplier controls, protected backup strategies, faster incident response and continuous monitoring of cloud and API environments. The challenge is that the same digital transformation driving electric vehicles, connected services and software-led margins is also giving attackers more routes into the business.
That change matters because the automotive business no longer rests only on assembly lines and showroom sales. Modern manufacturers run sprawling networks of cloud systems, connected production equipment, software-defined vehicles, telematics platforms, over-the-air update systems and third-party suppliers. Each link adds convenience and speed, but also expands the attack surface for criminals looking for operational choke points. Halcyon said the sector’s dependence on connected technology and outsourced service networks has made it an increasingly attractive target for extortion-driven groups. NHTSA has also stressed that vehicle and component security now stretches across the design, software and supply-chain lifecycle, not just the finished car.
The sharpest warning came from real-world disruption. Jaguar Land Rover’s cyber incident in September 2025 forced prolonged shutdowns across its British factories, disrupted sales and parts systems, and rippled through suppliers and workers well beyond the company’s own sites. Reuters reported that the stoppage affected 33,000 staff and later stretched to nearly four weeks, underlining how a single breach can turn into an industrial and economic problem rather than a narrow IT event. Even without confirmed customer-data compromise at the outset, the operational damage was severe enough to halt output and draw government attention to supply-chain fallout.
Broader industry data show the problem is not isolated. Upstream Security, which tracks automotive and smart mobility cyber incidents, said its 2026 report reviewed 494 publicly reported incidents from 2025 and found ransomware attacks on automotive and smart mobility more than doubled. The company highlighted backend servers and application programming interfaces as growing weak points as vehicles, apps, charging systems, fleet tools and cloud services become more interconnected. That suggests the main danger is no longer confined to hacking a vehicle directly; it increasingly lies in compromising the digital ecosystem around manufacturing, logistics, retail and after-sales services.
European threat data reinforce that picture. ENISA’s 2025 threat landscape said cybercrime incidents against the transport sector accounted for 8.4% of all incidents it tracked, with ransomware making up 83.9% of cybercrime incidents in that sector. The agency also identified well-known ransomware groups among the leading claimants targeting transport. While transport is broader than automotive alone, the numbers show how extortion attacks have become a dominant threat to mobility infrastructure across Europe.
For manufacturers, the commercial risk runs deeper than ransom demands. A successful attack can freeze production scheduling, parts ordering, invoicing, dealership systems and engineering workflows at the same time. In a just-in-time manufacturing model, delays at one supplier or one software platform can cascade through assembly plants, delivery commitments and service networks. Reuters’ reporting on the JLR disruption showed how cyber events can quickly affect employees, suppliers and national output, giving boards and investors a clearer measure of cyber risk as a business continuity issue rather than a back-office compliance matter.
Regulators have been pushing the industry in that direction. UNECE’s Regulation No. 155 requires vehicle makers in participating markets to maintain a cybersecurity management system as part of type approval, while related rules on software updating seek tighter control over how vehicles are patched and maintained. In parallel, NHTSA’s best-practice guidance says cybersecurity responsibilities extend across manufacturers, suppliers and software developers, reflecting the reality that a weak partner can expose the whole chain. These frameworks do not eliminate attacks, but they are pushing automotive groups to treat cyber resilience as a core engineering and governance requirement.
Security firms argue that defences now need to move faster than traditional perimeter protection. Halcyon and other industry researchers point to the need for stronger segmentation between IT and operational technology, tighter supplier controls, protected backup strategies, faster incident response and continuous monitoring of cloud and API environments. The challenge is that the same digital transformation driving electric vehicles, connected services and software-led margins is also giving attackers more routes into the business.
Topics
Technology