Auto Industry Under Siege: Ransomware Attacks Double as AI Fuels Threats

BIRMINGHAM, Mich. – February 18, 2026 – The global automotive industry is facing an unprecedented cybersecurity crisis, with ransomware attacks more than doubling in 2025, according to a new report by cybersecurity firm Upstream. The eighth annual Global Automotive and Smart Mobility Cybersecurity Report reveals that financially motivated cybercriminals are escalating their assaults, moving beyond corporate networks to hold vehicles and entire supply chains hostage.

The report, which analyzed 494 publicly reported incidents, paints a stark picture of an industry at a dangerous crossroads. The very technologies designed to make cars smarter and more connected—particularly the rapid adoption of what experts call "Physical AI" in autonomous systems—are dramatically expanding the digital attack surface, creating a perfect storm of risk for manufacturers, suppliers, and drivers alike.

Ransomware's New Frontier: From Factories to Driveways

The most alarming trend highlighted in the report is the explosive growth of ransomware. These attacks, where malicious actors encrypt data and demand payment for its release, accounted for a staggering 44% of all automotive cyber incidents in 2025, more than double the volume from the previous year. This surge aligns with broader global trends, as reports from security firms like Cyble and Comparitech noted a massive increase in ransomware activity across all sectors, with manufacturing consistently being the most targeted.

What has changed, however, is the target. While previous attacks often focused on corporate IT systems, 2025 marked a chilling evolution. The Upstream report details incidents where attackers breached vehicle systems directly, often through companion mobile apps. In one mid-2025 scenario, hackers gained remote control of vehicle functions like ignition and door locks, locking owners out and demanding ransom payments to restore access. This leap from data theft to direct physical control represents a dangerous new frontier for public safety and trust.

The economic devastation caused by these attacks is no longer theoretical. In September 2025, Jaguar Land Rover (JLR) fell victim to a massive cyberattack that crippled its production and retail operations for a prolonged period. The incident is considered the UK's costliest ever, with an estimated financial impact of £1.9 billion, rippling through more than 5,000 organizations in its supply chain. Another major European OEM saw its production lines paralyzed for weeks, forcing local authorities to provide financial support and measurably impacting the region's GDP.

These large-scale disruptions underscore the vulnerability of the industry's deeply interconnected, just-in-time supply chains. An attack on a single supplier, like the 2024 ransomware incident at dealership software provider CDK Global which caused an estimated $1 billion in economic damage, can bring thousands of businesses to a grinding halt.

The AI Paradox: Innovation as a Weapon

At the heart of the industry's transformation and its new vulnerabilities lies Artificial Intelligence. The automotive sector is a pioneer in deploying Physical AI—intelligent systems that perceive and interact with the physical world—with autonomous driving features being the most prominent example. However, this progress comes at a price.

"The automotive industry is an early adopter of Physical AI, and as AI capabilities rapidly expand across markets, it now serves as the reference architecture for safety-critical, highly connected systems," said Yoav Levy, Co-Founder and CEO of Upstream, in the report's press release. "However, AI is also enabling attackers to move faster, at greater scale, and with more automation while the industry is still relying on security models built for a far more static world."

This "AI paradox" means the technology is a double-edged sword. While automakers look to AI to power next-generation safety and convenience features, attackers are leveraging generative AI and large language models (LLMs) to craft more sophisticated phishing campaigns, discover software vulnerabilities faster, and automate their malicious campaigns on a massive scale. The report notes that 71% of incidents in 2025 were attributed to black hat actors, up from 65% in 2024, indicating a rise in professional, organized cybercrime.

The Invisible Battleground Under the Hood

As vehicles transform into software-defined machines, the battleground has shifted from physical security to the invisible digital architecture that runs them. According to Upstream's findings, the vast majority of attacks—a staggering 92%—were conducted remotely, and 86% of those required no physical access or proximity to the vehicle.

The primary points of entry are no longer just the onboard diagnostics port but the complex web of backend servers, cloud platforms, and Application Programming Interfaces (APIs) that connect vehicles to the outside world. The report identifies telematics and cloud systems as the vectors in 67% of incidents. APIs, the digital 'nervous system' that enables communication between the vehicle, the manufacturer's cloud, and third-party apps, have become a particularly weak link, serving as a key enabler for a significant portion of attacks.

The scale of potential impact is massive. Over 60% of the incidents analyzed had the potential to affect thousands to millions of vehicles and mobility assets simultaneously, with one in five qualifying as a massive-scale event. This systemic risk means a single vulnerability in a shared cloud platform or API could lead to a fleet-wide compromise, with consequences ranging from mass data breaches to coordinated operational disruption.

A Race Between Regulation and Reality

In response to the escalating threat, regulators and industry bodies are racing to establish a new baseline for security. Regulations like UNECE WP.29 R155 have become cornerstones of compliance, mandating that automakers implement a certified Cybersecurity Management System (CSMS), design vehicles for security, monitor for threats in real-time, and provide Over-the-Air (OTA) software updates to patch vulnerabilities.

These regulations are a crucial step forward, but experts caution that mere compliance is not a silver bullet. The rapid evolution of attacker tactics, especially those powered by AI, means that building true resilience requires investment beyond checking regulatory boxes. The industry is responding by establishing dedicated Vehicle Security Operations Centers (vSOCs) and increasingly turning to AI-powered defensive tools to detect and respond to threats in real-time.

Strengthening supply chains with measures like demanding a Software Bill of Materials (SBOMs) from suppliers is also becoming a critical priority. As governments, including the United States, begin weighing national security implications and proposing restrictions on hardware and software from certain countries, the geopolitical dimension of automotive cybersecurity is becoming impossible to ignore. The road ahead for the automotive industry is fraught with challenges, requiring a fundamental shift in mindset from building secure components to defending a dynamic and ever-expanding mobility ecosystem.