
Rhysida
A ransomware-as-a-service crew active since 2023, succeeding the Vice Society operator lineage, that uses double-extortion against government and critical-sector targets.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Rhysida has Stuttgart's data; will Germany's state capital pay or publish first?
Timeline for Rhysida
Mentioned in: Leak crews squeeze Tata and Nidec
Cybersecurity: Threats and DefencesNamed Landeshauptstadt Stuttgart on its leak site on 19 May 2026 with a double-extortion data-dump threat
Cybersecurity: Threats and Defences: Rhysida names Stuttgart on leak siteWho is the Rhysida ransomware group?
What happened to Stuttgart in the Rhysida ransomware attack?
Is Rhysida connected to Vice Society?
Background
Rhysida is a ransomware-as-a-service crew that emerged in 2023 as the operational successor to the Vice Society group, inheriting its affiliate model, double-extortion methodology, and preference for government, education, and healthcare targets. On 19 May 2026 Rhysida named Landeshauptstadt Stuttgart, the German state capital of Baden-Württemberg, on its leak site with a double-extortion data-dump threat. Stuttgart is the headquarter city of Porsche and Mercedes-Benz, placing the municipal-government breach directly upstream of two of Germany's largest automotive OEMs.
Rhysida had previously claimed the British Library in November 2023, a landmark attack that resulted in the publication of staff personal data, disrupted public access to catalogue services for months, and became a reference case for the UK's cyber resilience frameworks. The Stuttgart claim follows the pattern: a public-sector organisation with complex legacy IT environments, limited patching Velocity, and high-value data. The crew operates a ransomware-as-a-service model where affiliates Conduct intrusions and split ransoms with the core infrastructure operators.
The Stuttgart claim lands in the same reporting window as the West Pharma SEC 8-K and the South Staffordshire ICO fine, extending the cross-jurisdictional CNI exposure picture to a third actor category. Whether Rhysida follows through with a full data publication or the city pays to suppress will set the precedent for the next German municipal target. No German federal authority had issued a public response at the time of writing.