By Shin Li (Staff Threat Researcher, Automotive)
The year has only just begun, yet a wave of ransomware attacks has swept across industries, with the automotive industry among the hardest hit. In this article, in addition to outlining the reported automotive ransomware incidents, we examine several recent cases and their wider impact on automotive cybersecurity.
Automotive ransonmware incidents
Our internal research shows that from January to mid-February 2025, reported automotive ransomware incidents have already exceeded those in the same period of 2024. The table below highlights this concerning trend.
| Country/Region | Company type | Compromise date | Ransomware operator | Impact |
|---|---|---|---|---|
| Portugal | Commercial vehicle sales/rental | Jan. 1, 2025 | CiphBit | Data theft, details unknown |
| US | Automotive parts remanufacturer | Jan. 7, 2025 | SafePay | Financial and employee data stolen |
| Russia and CIS | Sales agent for a car OEM | Jan. 8, 2025 | Silent Crow | Customer and historical data potentially leaked |
| Nepal | Car OEM distributor | Jan. 8, 2025 | ClaratZ | Website database leaked, customer data at risk |
| US | Driveline repair and parts supplier | Jan. 9, 2025 | RansomHub | 31 GB technical database and business data at risk |
| Sweden | Sales and service for a car OEM | Jan. 9, 2025 | ProfessorKliq | Possible 240 GB data leak, scope unclear |
| Spain | Braking system manufacturer | Jan. 9, 2025 | Akira | 65 GB data stolen, including NDAs and HR info |
| US | Collision repair service | Jan. 16, 2025 | SafePay | Data theft, internal info accessed without authorization |
| Japan | Precision automotive parts maker | Jan. 18, 2025 | Qilin | 502.5 GB data stolen, including R&D blueprints |
| Netherlands | Dealership for car OEMs | Jan. 23, 2025 | Fog | 25.7 GB data leaked, customer records potentially affected |
| Denmark | Dealership for car OEMs | Jan. 24, 2025 | DragonForce | 86.88 GB data leaked, employee/customer PII exposed |
| UK | Vehicle auction company | Jan. 24, 2025 | Space Bears | Financial reports and emails exposed |
| Germany | Chemical supplier (auto supply chain) | Jan. 24, 2025 | Clop | US logistics server data stolen, details unclear |
| US | Car rental service | Jan. 24, 2025 | Clop | Clop claimed attack, no confirmed data breach |
| Italy | Precision measurement equipment maker | Jan. 26, 2025 | Unknown (Cryptolocker type) | Servers encrypted, logistics disrupted |
| North America | Aftermarket parts supplier | Jan. 28, 2025 | Clop | Potential inventory and customer data stolen |
| US | Locker supplier (indirectly auto-related) | Jan. 31, 2025 | 8BASE | 25 GB data leaked, including invoices and HR records |
| India | Automotive engineering services | Jan. 31, 2025 | Unknown | Details unknown, potential data theft or disruption |
| US | Transportation logistics carrier | Jan. 31, 2025 | Play | Data theft, internal document screenshots exposed |
| UK | Heavy vehicle tire repair service | Feb. 4, 2025 | ROBI GOOD | Unknown impact, potential data theft |
| US | Recreational vehicle manufacturer | Feb. 4, 2025 | RansomHub | Potential design and customer data at risk |
| Japan | Automotive electronics maker | Feb. 4, 2025 | Qilin | 942 GB data with download link, potential IP leak |
| India | Automotive consumer data | Feb. 4, 2025 | APT73 | 66,700+ car owner records leaked |
| Australia | Heavy truck dealership | Feb. 5, 2025 | Lynx | 170 GB customer and operational data at risk |
| Romania | Auto travel platform | Feb. 7 – 18, 2025 | Funksec, EraleigNews | 3 GB data leaked, possible data resale |
| UK | Automotive dealership group | Feb. 9, 2025 | Lynx | Potential customer and financial data exposed |
| US | Automotive interior parts maker | Feb. 11, 2025 | Play | Internal documents leaked, commercial secrets at risk |
| US | Traffic engineering and planning consultant | Feb. 12, 2025 | Qilin | Internal sensitive files leaked, systems possibly encrypted |
| US | Freight transportation company | Feb. 12, 2025 | Medusa | 97.4 GB data leaked, potential operational risk |
| Belarus | Auto/Motorcycle online store | Feb. 12, 2025 | Funksec | 14 GB data leaked, customer data at risk |
| US | Automotive R&D company | Feb. 14, 2025 | Qilin | Internal communications and potential IP at risk |
| France | Auto consulting/inspection firm | Feb. 17, 2025 | Lynx | Proprietary files and client reports exposed |
| Netherlands | Collision repair service | Feb. 17, 2025 | Lynx | Financial and customer data exposed |
| US | Rubber parts manufacturer | Feb. 17, 2025 | Cactus | 116 GB data stolen, including engineering and HR files |
Table 1. A breakdown of the ransomware attacks that targeted the automotive industry from Jan. 1 to Feb. 17, 2025.
Notably, ransomware groups such as SafePay, Qilin, and Lynx have targeted multiple automotive-related organizations, from parts manufacturers to car dealerships. This pattern underscores a growing concern: Cybercriminals are increasingly viewing the automotive industry as a lucrative and vulnerable target.
Automotive cybersecurity insights
With ransomware attacks likely to persist in 2025, we review recent cases from Japan, Italy, and Australia to provide valuable insights into the evolving threat landscape. These incidents are not isolated but part of a broader pattern of disruption affecting organizations worldwide. We examine these examples not to highlight the challenges faced but to uncover the tactics used and understand their broader implications for automotive cybersecurity.
A precision parts manufacturer based in Japan
The Qilin ransomware group reportedly exfiltrated over 500 GB of sensitive data, including engineering blueprints and supplier agreements, from a precision parts manufacturer in Japan. This manufacturer produces critical components such as gears, shafts, and custom-machined parts for some major Tier 1 global automakers (OEMs).
Although the manufacturer swiftly isolated infected servers and restored operations from backups, the exposure of technical documentation raised serious industry concerns. While it confirmed an ongoing investigation, it did not disclose details regarding ransom demands or negotiations — underscoring the persistent risks that suppliers face in handling vital designs across multiple OEMs.
A high-precision measurement solutions provider based in Italy
Unidentified attackers encrypted critical internal servers at an Italy-based company specializing in high-precision measurement solutions, briefly disrupting logistics and administrative functions. This company provides sensors, gauges, and advanced diagnostic tools for engine assembly lines, powertrain R&D, and automated quality control.
While the impact on production was reported to be minimal, the extent of potential data exfiltration remains unclear. The company promptly notified Italian authorities, implemented short-term departmental shutdowns, and committed to strengthening its cybersecurity posture.
A leading truck and trailer dealership based in Australia
A leading truck and trailer dealership in Australia fell victim to a ransomware attack. The newly emerging Lynx group claimed responsibility for the attack, which purportedly resulted in the theft of 170 GB of sensitive data, including HR records and financial documents.
Involving a key supplier to commercial fleets, the breach raises serious concerns for transportation firms relying on timely vehicle servicing. The company swiftly took affected systems offline and engaged cybersecurity specialists, but it did not confirm whether ransom demands were met or whether customer data remained secure. To pressure compliance, Lynx posted partial data on the dark web, highlighting how even specialized dealerships in remote regions remain prime targets for escalating waves of cyberthreats.
Conclusion
In 2024, cyberattacks primarily targeted suppliers, third-party providers, and dealerships, with some incidents far surpassing those aimed at OEMs. The surge in ransomware attacks at the start of 2025 suggests a continuation of this trend, highlighting a couple of sobering realities.
First, when key supply chain players such as precision parts manufacturers and specialized service providers are hit by cyber intrusions, the fallout ripples far beyond the initial target. For instance, a breach in quality control systems can derail entire production lines, while compromised fleet operations can delay deliveries, affecting partners and customers across the industry.
Second, digital interconnectedness in today’s global economy has erased geographic boundaries for cyberthreats, exposing businesses across diverse regions to sophisticated attacks. No corner of the automotive ecosystem is immune.
The rising risk of automotive cyberthreats calls for urgent action involving proactive cybersecurity measures, robust incident response plans, and stronger industrywide collaboration. Through information sharing and coordinated defenses across the automotive ecosystem, OEMs, suppliers, and service providers can strengthen the industry’s resilience against the growing risks posed by today’s advanced threat actors.
