Ransomware is now the fastest growing and most disruptive cyber threat facing the automotive sector, accounting for 44% of attacks on carmakers in 2025, according to Halcyon.
The security vendor crunched data from multiple sources to compile a new report on the industry. It claimed that ransomware attacks on carmakers more than doubled in 2025.
“The surge in attacks reflects a calculated shift by cybercriminals who increasingly view the automotive industry as a lucrative target, driven by its rapid adoption of connected technology, growing reliance on cloud services, and a sprawling network of third-party suppliers that broadens criminals' opportunities to strike,” the report noted.
It pointed to connected vehicle platforms, over-the-air (OTA) update mechanisms and cloud-based environments as having expanded the typical corporate attack surface in the sector.
Smaller suppliers with potentially poor security posture often have privileged access to OEMs’ IT systems, the report added.
Read more on ransomware in the automotive sector: Cyber-Attack Costs Carmaker JLR $258m in Q2
The report also noted that carmakers are an increasingly popular target for attack due to their low tolerance for downtime.
That was highlighted last year when Jaguar Land Rover (JLR) suffered a ransomware-related production outage that stretched to five weeks, costing the firm an estimated £108m per week in fixed costs and lost profit.
That attack was branded the most expensive in history, hitting the UK economy to the tune of £1.9bn thanks to the significant knock-on effect among smaller supply chain partners that were forced to halt their production lines.
Halcyon’s Mitigation Advice for the Sector
Halcyon urged automotive sector IT teams to get ahead of the ransomware threat by:
- Patching perimeter and edge devices and assets, such as VPNs, RDP endpoints and ERP systems
- Deploying phishing-resistant multi-factor authentication (MFA) with a focus on on VPNs, remote access, and privileged accounts. And auditing third-party access and removing/rotating legacy credentials
- Hardening endpoint detection and response (EDR) tools against tampering and disabling
- Maintaining immutable, offline backups isolated from domain-joined systems, and testing restoration regularly
- Establishing baseline security requirements for supply chain partners, including software providers, and actively monitoring for breaches in third-party tools
- Deploying an anti-ransomware solution that can detect tell-tale behavioral patterns and stop threats before encryption
Ransomware incidents over the past year or two have struck all parts of the value chain, from manufacturers and major suppliers to connected vehicle systems, the report said.
“Given these escalating threats, companies across the automotive supply chain should prioritize understanding their exposure, strengthening their defenses, and ensuring they are prepared to respond when an attack occurs,” Halcyon added.