Russian Hackers Behind Jaguar Land Rover Ransomware Attack That Cost UK $2.5B

A loose collective of Russian hackers orchestrated the ransomware attack that crippled Jaguar Land Rover in late 2025, according to a New York Times investigation published Thursday. The breach began on August 31, 2025, and shut down production across JLR’s factories for nearly six weeks, costing the British economy an estimated $2.5 billion.

The attack used what investigators described as “mind blowing” encryption, which proved exceptionally difficult to decrypt and contributed to the extended outage. The hackers initially took credit under a pseudonym before the investigation tied them to known Russian cybercriminal networks.

Attack Impact and Encryption Method

The encryption method deployed against Jaguar Land Rover was unlike typical ransomware, according to cybersecurity experts briefed on the investigation. The hackers used a custom variant that encrypted files in parallel across the company’s manufacturing and administrative systems, preventing even partial recovery from backups for weeks.

• Production halted at all JLR factories in the UK, Slovakia, and China for nearly six weeks.
• Estimated $2.5 billion economic impact includes lost sales, supply chain disruption, and remediation costs.
• Hackers demanded a ransom but the amount has not been disclosed. JLR did not confirm payment.
• UK National Cyber Security Centre and the FBI assisted in the investigation.
• Attack affected over 40,000 employees and thousands of suppliers.

Broader Implications for Automotive and Industrial Security

This attack marks one of the most damaging ransomware incidents ever against a major manufacturer. The automotive industry has been a growing target because of the complexity of its supply chains and the difficulty of securing legacy industrial control systems. The six week shutdown demonstrates the catastrophic consequences when encryption can’t be quickly reversed.

Jaguar Land Rover has since revamped its cybersecurity posture, implementing network segmentation and more frequent backup testing. But the incident underscores the vulnerability of just in time manufacturing to ransomware. The UK government is now reviewing whether to mandate minimum cybersecurity standards for critical infrastructure operators, including carmakers.

No arrests have been made, and the investigation continues. The NCSC has warned that similar attacks are likely against other manufacturers unless defenses improve across the sector.