Automotive Ransomware Attacks Double as AI Expands Vehicle Vulnerabilities
Ransomware now accounts for nearly half of all cybersecurity incidents in the automotive sector, more than doubling year over year, according to the 2026 Global Automotive and Smart Mobility Cybersecurity Report released by Upstream on May 26. The analysis of 494 publicly disclosed incidents in 2025 reveals a shift toward financially motivated attackers targeting vehicles and mobility systems with greater sophistication and scale.
The stakes for insurers are immediate. Sixty-eight percent of incidents resulted in data or privacy breaches. Thirty-four percent caused business or operational disruption. Sixty-one percent had the potential to affect thousands to millions of vehicles simultaneously.
Organized attackers are moving in
Black hat actors-those operating for financial or criminal gain-were responsible for 71% of incidents in 2025, up from 65% the prior year. These groups are targeting a sector that manages large volumes of personal data, operates critical infrastructure, and depends on uninterrupted connectivity.
Attackers executed 92% of incidents remotely. Of those, 86% required no physical access to the targeted vehicle or system, meaning threat actors could strike from anywhere with an internet connection.
Telematics platforms and cloud environments were the most common entry points, involved in 67% of cases. APIs-the connective tissue linking vehicle software, manufacturer backends, and third-party services-played a role across a broad share of incidents.
AI is widening the attack surface
Automakers are integrating AI into safety systems, fleet management, and over-the-air update mechanisms. This expansion is creating new vulnerabilities faster than traditional security models can address.
Upstream found that AI-driven architectures across vehicle systems serve as a structural factor in the escalating threat environment. AI is also enabling attackers to move faster, at greater scale, and with more automation. The industry, however, is still relying on security models built for a far more static world.
As vehicles become more connected and autonomous systems more prevalent, the boundary between cyber risk and physical loss is blurring. Existing policy language may not cleanly address these hybrid threats.
Ransom demands now target vehicle controls
A documented mid-2025 case showed attackers gaining access to a vehicle's remote command-and-control functions through a consumer-facing mobile app. They then seized control of physical systems such as ignition and door locks before demanding payment.
This represents a departure from traditional ransomware attacks that lock corporate networks or encrypt enterprise files. Underwriters handling cyber, motor, or connected device lines may need to re-examine how coverage responds when a ransomware attack results in loss of vehicle use rather than loss of data alone.
The insurance industry is responding
A December 2025 survey by Marsh of more than 2,200 cyber risk leaders across 20 countries found two-thirds of organizations planned to increase cybersecurity budgets in 2026. More than a quarter intended to raise spending by 25% or more.
Twenty-nine percent of respondents ranked ransomware alongside privacy breaches as their primary cyber worry, validating what Upstream's automotive-specific data shows.
Third-party risk emerged as a persistent gap. Seventy percent of organizations reported at least one material incident tied to a vendor or supply chain partner in the past year. In automotive terms, that supply chain includes the telematics providers, cloud platforms, and API-dependent services that featured in the majority of incidents Upstream catalogued.
The convergence of these trends points to a sector where the scope of insurable loss is expanding at roughly the same pace as the attack surface itself. Claims teams and risk managers with exposure to connected mobility need to reassess policy structures against a threat environment with increasingly physical consequences.
For those managing automotive cyber risk, understanding how AI affects threat detection and risk monitoring is becoming essential to underwriting decisions.
Your membership also unlocks:
