Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
20MAY

Rhysida names Stuttgart on leak site

3 min read
09:58UTC

Rhysida named Landeshauptstadt Stuttgart on its leak site on Tuesday 19 May with a double-extortion data-dump threat. Stuttgart is the state capital of Baden-Wuerttemberg and home to the corporate headquarters of Porsche and Mercedes-Benz.

TechnologyDeveloping
Key takeaway

Stuttgart's ransomware exposure touches the supplier records of Porsche and Mercedes-Benz alongside city services.

Rhysida, the ransomware-as-a-service crew active since 2023, named Landeshauptstadt Stuttgart on its leak site on Tuesday 19 May 2026 with a double-extortion data-dump threat 1. Landeshauptstadt is the official designation for Stuttgart as the state capital of Baden-Wuerttemberg, the German federal state that sits at the centre of the country's automotive industry. No German federal authority had issued a public response at the time of writing. Rhysida succeeds the Vice Society crew in the same operator lineage and has been active against European municipal targets continuously since 2023.

Stuttgart hosts the corporate headquarters of Porsche and Mercedes-Benz. A city-government breach exposes payroll, planning, permits, and supplier records that touch both companies' day-to-day operations, even without direct access to either OEM's own networks. Rhysida's standard tactic, double-extortion through encrypted exfiltration followed by leak-site publication, is the same pattern it has used against the British Library, Insomniac Games, and a string of European hospitals and councils.

Berlin published its NIS2 implementation law on 5 December 2025 with a 6 March 2026 registration deadline , but only around one-third of covered entities had registered by the cut-off, and the European Commission's parallel infringement proceedings against partial-transposition member states cover Germany. A municipal breach disclosed within the new statutory framework would be the first significant German test of the post-NIS2 incident-handling track. For automotive supplier risk Teams, the question is whether Stuttgart's vendor records form part of the exfiltrated set and how quickly the city will publish a scope.

Deep Analysis

In plain English

Rhysida is a ransomware gang that has been attacking public institutions across Europe since 2023, including the British Library. On 19 May 2026, it threatened to publish data stolen from Stuttgart's city government unless paid. Stuttgart is the state capital of Baden-Wuerttemberg and where Porsche and Mercedes-Benz are headquartered.

Deep Analysis
Root Causes

German municipal IT governance operates under a decentralised model in which federal states set minimum standards but municipalities have significant autonomy over security investment. Baden-Wuerttemberg's NIS2 implementation guidance post-December 2025 applies to essential service operators in the state; whether Stuttgart's administrative functions fall within NIS2 scope or outside it determines which enforcement framework applies.

Rhysida's operational pattern targets institutions with high public visibility because the reputational pressure on public bodies to restore services creates negotiation urgency that private-sector targets do not experience in the same way. Stuttgart's status as a state capital and home of two global automotive brands amplifies both the data reach and the negotiation pressure.

First Reported In

Update #4 · AI joins the breach column on both sides

DeXpose· 20 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.