Ransomware attacks on auto industry rise, the security steps you need to take now

Ransomware attacks more than doubled in 2025, and the targets now include the vehicles themselves, says a new report from cybersecurity firm Halcyon.

On the Dash:

• Ransomware attacks on the auto industry more than doubled in 2025, accounting for 44% of all cyber incidents.
• Suppliers are the weakest link, giving criminals a back door into OEM systems.
• Connected vehicles are now a direct target, with attackers seizing remote control of individual cars.

Ransomware attacks targeting the automotive sector more than doubled in 2025, according to a new report by cybersecurity firm Halcyon. Ransomware is a type of cyberattack in which criminals infiltrate a company’s systems, encrypt its data, and demand payment to restore access.

Those attacks made up almost half (44%) of all cyber incidents across the industry last year, the report found.

The consequences have been severe. A ransomware attack halted all of Jaguar Land Rover’s global production for more than three weeks last October, causing an estimated $2.5 billion in economic damage.

Sign up for CBT News’ daily newsletter and get the latest industry stories delivered straight to your inbox.

A year earlier, BlackSuit, a Russia-linked criminal organization, took down operations at approximately 15,000 dealerships for two weeks after attacking the industry’s leading dealership management platform. The collective losses were estimated at $1 billion.

Consumer data is also at risk. A compromised automotive IT provider in early 2025 exposed personal information on 2.7 million vehicle owners, including Social Security numbers.

Why automakers and dealers are ransomware targets

Cybersecurity analysts say criminals are targeting the auto industry for a simple reason: shutting it down is expensive.

Automotive manufacturing runs on tight deadlines. When systems go down, the costs quickly add up. The math makes the auto industry one of the most attractive extortion targets for cybercriminals.

The industry’s rapid embrace of connected technology made the problem worse. Vehicle platforms, over-the-air software updates, and cloud-based systems all created new targets for the attackers.

In 2025, attackers used telematics systems, cloud platforms, or APIs as their primary entry point in 67% of the incidents surveyed, according to Halcyon.

Suppliers are the weakest link

Most automotive cyber incidents in 2024 hit third-party providers, not the OEMs themselves. Smaller suppliers often hold privileged access to OEM systems. They rarely have the cybersecurity budgets to match that access. Criminals know it.

In early 2025, the criminal group Qilin stole more than 500GB of engineering blueprints and supplier agreements from a Japanese precision parts manufacturer. Separate incidents hit suppliers in Italy and Australia during the same period.

Breaching a supplier can open a back door straight into an OEM’s systems. The security is weaker. The access is real. And the potential damage runs up the entire supply chain.

Connected cars at risk for cyberattacks

Ransomware attacks are no longer limited to corporate networks and back-office systems. Criminals are coming for the vehicles themselves. As vehicles come with more connectivity, they are becoming more vulnerable to attack.

In June 2025, attackers seized remote control of individual vehicles in Russia. They locked owners out, controlled windows, doors, and engine starts, and demanded ransoms to restore access.

The attackers got in through cloned SIMs, expired virtual numbers, and revoked dealer logins. They exploited weak app-registration practices tied to unofficial imports of a specific Chinese vehicle brand.

What dealers and automakers need to do now

Halcyon’s report urges the industry to invest in cybersecurity measures to combat cybercrime and offers some tips to help keep attackers out:

• Phishing-resistant, multi-factor authentication for all remote systems and secure accounts.
• Scrutinize third-party suppliers for potential security issues.
• Systems should be in place to help detect unusual activity in all networks.
• Keep offline backups and update and test them regularly.

Companies should assume a breach is coming and build systems capable of identifying unusual activity quickly. Finding an attacker early limits the damage. Waiting until systems are encrypted does not.