Organisation

Rhysida

A ransomware-as-a-service crew active since 2023, succeeding the Vice Society operator lineage, that uses double-extortion against government and critical-sector targets.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

Rhysida has Stuttgart's data; will Germany's state capital pay or publish first?

Timeline for Rhysida

#419 May

Named Landeshauptstadt Stuttgart on its leak site on 19 May 2026 with a double-extortion data-dump threat

Cybersecurity: Threats and Defences: Rhysida names Stuttgart on leak site

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Who is the Rhysida ransomware group?: Rhysida is a ransomware-as-a-service crew that emerged in 2023 as the successor to Vice Society. It uses double extortion, publishing stolen data to pressure victims who refuse to pay ransom. Notable attacks include the British Library in November 2023 and Stuttgart city government in May 2026.Source: DeXpose / GTIG
What happened to Stuttgart in the Rhysida ransomware attack?: On 19 May 2026 Rhysida named Landeshauptstadt Stuttgart on its leak site with a double-extortion threat. Stuttgart is the state capital of Baden-Württemberg and the headquarters city of Porsche and Mercedes-Benz. No German federal authority had issued a public statement at time of reporting.Source: DeXpose
Is Rhysida connected to Vice Society?: Yes. Rhysida is widely assessed as the operational successor to Vice Society, sharing its affiliate model and targeting preferences. Vice Society was active from 2021 to 2023, primarily targeting education and healthcare; Rhysida continues the same lineage with expanded government targets.Source: Cybersecurity research community

Background

Rhysida is a ransomware-as-a-service crew that emerged in 2023 as the operational successor to the Vice Society group, inheriting its affiliate model, double-extortion methodology, and preference for government, education, and healthcare targets. On 19 May 2026 Rhysida named Landeshauptstadt Stuttgart, the German state capital of Baden-Württemberg, on its leak site with a double-extortion data-dump threat. Stuttgart is the headquarter city of Porsche and Mercedes-Benz, placing the municipal-government breach directly upstream of two of Germany's largest automotive OEMs.

Rhysida had previously claimed the British Library in November 2023, a landmark attack that resulted in the publication of staff personal data, disrupted public access to catalogue services for months, and became a reference case for the UK's cyber resilience frameworks. The Stuttgart claim follows the pattern: a public-sector organisation with complex legacy IT environments, limited patching Velocity, and high-value data. The crew operates a ransomware-as-a-service model where affiliates conduct intrusions and split ransoms with the core infrastructure operators.

The Stuttgart claim lands in the same reporting window as the West Pharma SEC 8-K and the South Staffordshire ICO fine, extending the cross-jurisdictional CNI exposure picture to a third actor category. Whether Rhysida follows through with a full data publication or the city pays to suppress will set the precedent for the next German municipal target. No German federal authority had issued a public response at the time of writing.

Source Material

Rhysida ransomware targets Landeshauptstadt Stuttgart

How the World Sees Them

Germany

The Stuttgart claim places a ransomware threat directly adjacent to Porsche and Mercedes-Benz headquarters; Baden-Württemberg state authorities have not confirmed impact scope.

European Union

NIS2 Directive obligations would require Stuttgart to notify relevant authorities within 24 hours of becoming aware of a significant incident; enforcement precedent on municipal targets is limited.

United Kingdom

The British Library attack in November 2023 established Rhysida as a public-institution threat; the subsequent Stuttgart claim confirms the crew's continued government-sector focus.