Ransomware’s acceleration in automotive and smart mobility signals that connected vehicles are shifting from peripheral to primary targets in cybercriminal business models. This forces OEMs and Tier‑1s to treat cybersecurity as an operational continuity issue on par with functional safety, driving spend toward XDR, API security, and SOC integration. It also pressures regulators and insurers to quantify systemic risk in mobility platforms rather than discrete vehicle vulnerabilities. The trend aligns automotive with broader IoT sectors where cloud‑centric architectures and Physical AI collapse IT/OT boundaries.
Automotive and Smart Mobility Sectors Face Escalating Ransomware Threats in 2025
Upstream’s report finds that the rapid adoption of Physical AI, with autonomous vehicles among the first production-ready systems in real-world operation, is expanding attack surfaces and accelerating attacker capabilities, creating large-scale cyber risks with massive impact potential.
Upstream, the leading AI-powered cybersecurity detection and response platform (XDR) purpose-built for connected vehicles, physical AI, and smart mobility, released today its 2026 Global Automotive and Smart Mobility Cybersecurity Report. Now in its eighth year, the report reveals a material escalation in cybersecurity risks across Automotive and Smart Mobility. This is driven by the rapid expansion of APIs and AI-driven architectures, alongside the increased sophistication of organized threat actors. Together, these forces are widening the gap between adversary capability and the industry’s current cybersecurity posture, with ransomware continuing to emerge as one of the fastest-growing and most disruptive attack types in 2025.
Analyzing 494 publicly reported cybersecurity incidents from 2025 within the Automotive and Smart Mobility ecosystem worldwide, the report recognizes two converging trends reshaping automotive cybersecurity: First, AI architectures have dramatically expanded the attack surface, introducing new entry points and systematic exposures across the entire ecosystem. Second, financially motivated, well-resourced, and coordinated attack groups are increasingly targeting the sector, causing a major escalation in ransomware attacks that can translate into billions of dollars in operational and economic losses. Furthermore, ransom attacks are now expanding beyond IT and enterprise systems into the actual vehicles, as shown in mid-2025 when attackers accessed remote vehicle command & control systems (via the companion app), locked owners out, took remote control of functions like ignition and door locks, and demanded ransom payment to restore access.
AI as a Double-Edged Sword
Yoav Levy, Co-Founder and CEO of Upstream, said:
“The automotive industry is an early adopter of Physical AI, and as AI capabilities rapidly expand across markets, it now serves as the reference architecture for safety-critical, highly connected systems.”
“However, AI is also enabling attackers to move faster, at greater scale, and with more automation while the industry is still relying on security models built for a far more static world. Our 2026 report shows that AI significantly expands the cybersecurity attack surface, as traditional perimeter defenses no longer suffice when AI systems adapt dynamically and directly influence physical outcomes.”
The report examines AI as a dual threat reshaping the automotive cybersecurity landscape: AI is both expanding the attack surface and accelerating attacker capabilities. The rapid adoption of generative AI and large language models (LLMs) alongside API-centric architectures and frequent over-the-air (OTA) updates has introduced new points of exposure and increased complexity across the vehicle ecosystem. The report highlights how backend servers and APIs have become the primary weak points, as this growing interconnectivity between vehicles, cloud platforms, and apps increases the likelihood of systemic cybersecurity incidents.
Ransomware Drives 2025 Cyber Escalation
The report also found that 2025 saw a sharp rise in large-scale, coordinated attacks by organized threat actors on the Automotive and Smart Mobility ecosystem, with increasingly severe operational disruption, financial damage, and reputational consequences. The report highlights that ransomware attacks increased significantly as part of this broader escalation in cyber activity, with 44% of attacks being ransomware-related, more than double the volume than in 2024. In the most severe cases, these attacks triggered cascading disruptions across OEMs, suppliers, production environments, and wider supply chains.
2025’s largest incident, a cyberattack on a European OEM, exemplified the chain-reaction impact now possible when organized threat actors target interconnected mobility ecosystems. The attack paralyzed the OEM’s production and enterprise systems for several weeks, forcing local authorities to provide financial support. In addition to direct impact on the OEM, the attack indirectly impacted a wide array of suppliers and evidence of impact was evident in the decrease in GDP.
Additional Findings and Insights
- 71% of incidents were attributed to black hat actors, up from 65% in 2024.
- 92% of automotive cyber attacks were conducted remotely, of which 86% required no physical proximity to vehicles and systems.
- 67% of incidents involved telematics and cloud systems as attack vectors; however, APIs continue to serve as the nervous system of the Automotive and Smart Mobility ecosystem and the enabler of a significant portion of incidents.
- 68% of incidents involved data and privacy breaches, while 34% of incidents were focused on business and operational disruption.
- 61% of incidents had the potential to impact thousands to millions of mobility assets; 20% were massive-scale events.
The post Ransomware on Automotive and Smart Mobility Doubled in 2025 appeared first on IoT Business News.
