Ransomware attacks against the automotive industry more than doubled in 2025, accounting for 44% of all publicly reported cyber incidents across the sector. That’s not a typo. Nearly half of every known digital intrusion in automotive last year involved someone holding data or systems hostage for money.
The numbers come from cybersecurity firm Halcyon, which released its findings in mid-April under the title “Forty-Four Percent and Rising.” The report was led by Cynthia Kaiser, a 20-year FBI veteran who served as Deputy Assistant Director of the bureau’s Cyber Division before joining Halcyon as SVP of its Ransomware Research Center.
Kaiser grew up watching both her parents work for General Motors in Detroit. She knows what a production shutdown does to a town. And she’s now watching hackers figure that out, too.
The most devastating example so far hit Jaguar Land Rover last autumn. A ransomware attack forced the automaker into a month-long global production shutdown, costing an estimated $2.67 billion in lost revenue. That’s not an inconvenience. That’s an existential event.
The attack surface has grown fast. Connected vehicles, cloud platforms, and over-the-air update systems now factor into nearly 70% of cases Halcyon tracked in 2025. Every digital convenience the industry sells to consumers is also a doorway for criminals.
The more connected the car, the more connected the factory, the wider the opening. But the real soft underbelly isn’t the OEMs themselves. It’s their suppliers.
Smaller tier-two and tier-three companies often maintain privileged access to OEM networks while running cybersecurity budgets that wouldn’t cover a large automaker’s coffee tab. Kaiser was blunt about it: “You have this convergence of privileged access without necessarily having the budget for the needed security.”
Hackers have done the math. They know that shutting down a tightly integrated manufacturing line, even for a day or two, creates financial pressure that makes companies more willing to pay. The auto industry’s lean, just-in-time production philosophy, celebrated for decades as a model of efficiency, has become its greatest vulnerability.
There’s no slack in the system. Every hour offline costs millions.
Kaiser’s prescription starts with the mundane. Usernames. Passwords. Multi-factor authentication. The boring stuff that nobody wants to fund in a capital plan competing against new EV platforms and software-defined vehicle architectures.
But those basics are how attackers get in the door. Beyond prevention, she urged a shift in mindset. Companies need to accept they will be breached and invest heavily in detection systems that identify intruders fast.
“If you know what’s happening on your system and you have tools that help you detect and kick people out, then you can kick them out quick,” she said. AI is accelerating the threat on both sides. Attackers are using it to crack defenses faster and more creatively.
Defenders need AI-powered detection tools to keep pace. The arms race is already underway, and most of the supply chain is showing up to it underequipped.
The auto industry spent the last decade racing to become a technology industry, with software-defined vehicles, cloud-connected everything, and digital twins running factories. It got what it wanted. Now it’s learning that technology industries have technology-industry problems, and a 44% ransomware share is the tuition bill.
The question isn’t whether the next billion-dollar attack is coming. It’s whether anyone downstream from the OEMs can afford to stop it.
Share this Story