20MAY

Rhysida names Stuttgart on leak site

3 min read

09:58UTC

Rhysida named Landeshauptstadt Stuttgart on its leak site on Tuesday 19 May with a double-extortion data-dump threat. Stuttgart is the state capital of Baden-Wuerttemberg and home to the corporate headquarters of Porsche and Mercedes-Benz.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Stuttgart's ransomware exposure touches the supplier records of Porsche and Mercedes-Benz alongside city services.

Rhysida, the ransomware-as-a-service crew active since 2023, named Landeshauptstadt Stuttgart on its leak site on Tuesday 19 May 2026 with a double-extortion data-dump threat ¹. Landeshauptstadt is the official designation for Stuttgart as the state capital of Baden-Wuerttemberg, the German federal state that sits at the centre of the country's automotive industry. No German federal authority had issued a public response at the time of writing. Rhysida succeeds the Vice Society crew in the same operator lineage and has been active against European municipal targets continuously since 2023.

Stuttgart hosts the corporate headquarters of Porsche and Mercedes-Benz. A city-government breach exposes payroll, planning, permits, and supplier records that touch both companies' day-to-day operations, even without direct access to either OEM's own networks. Rhysida's standard tactic, double-extortion through encrypted exfiltration followed by leak-site publication, is the same pattern it has used against the British Library, Insomniac Games, and a string of European hospitals and councils.

Berlin published its NIS2 implementation law on 5 December 2025 with a 6 March 2026 registration deadline , but only around one-third of covered entities had registered by the cut-off, and the European Commission's parallel infringement proceedings against partial-transposition member states cover Germany. A municipal breach disclosed within the new statutory framework would be the first significant German test of the post-NIS2 incident-handling track. For automotive supplier risk Teams, the question is whether Stuttgart's vendor records form part of the exfiltrated set and how quickly the city will publish a scope.

Deep Analysis

In plain English

Rhysida is a ransomware gang that has been attacking public institutions across Europe since 2023, including the British Library. On 19 May 2026, it threatened to publish data stolen from Stuttgart's city government unless paid. Stuttgart is the state capital of Baden-Wuerttemberg and where Porsche and Mercedes-Benz are headquartered.

Deep Analysis

Root Causes

German municipal IT governance operates under a decentralised model in which federal states set minimum standards but municipalities have significant autonomy over security investment. Baden-Wuerttemberg's NIS2 implementation guidance post-December 2025 applies to essential service operators in the state; whether Stuttgart's administrative functions fall within NIS2 scope or outside it determines which enforcement framework applies.

Rhysida's operational pattern targets institutions with high public visibility because the reputational pressure on public bodies to restore services creates negotiation urgency that private-sector targets do not experience in the same way. Stuttgart's status as a state capital and home of two global automotive brands amplifies both the data reach and the negotiation pressure.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: British Library, November 2023, where Rhysida claimed the British Library's full estate, encrypted operations for months, and published a 573-gigabyte exfiltrated dataset after ransom negotiations failed. The British Library recovery took over a year and cost approximately £7 million. The structural mechanism is identical: a major public-sector institution, double-extortion threat, extended operational disruption.

Counter-parallel: The 2021 Anhalt-Bitterfeld county council attack in Germany, where LockBit encrypted administrative systems and Sachsen-Anhalt declared a regional disaster, the first German government entity to invoke disaster-recovery powers for a ransomware incident.

Anhalt-Bitterfeld was a small rural council with limited political visibility; Stuttgart is a state capital with national and automotive-industry significance, which changes the negotiation dynamics and the political pressure for non-payment.

Consensus view: Germany's Federal Office for Information Security (BSI) and the European Union Agency for Cybersecurity (ENISA) assess that Rhysida's 2026 European municipal campaign, which has touched the British Library in 2023, Belgian federal services in 2024, and Stuttgart in 2026, follows a deliberate sector-targeting logic: municipal governments hold payroll, planning, procurement, and vendor data that is either directly monetisable or useful to supply-chain adversaries.

Counter-view: German investigative journalists at Der Spiegel note Rhysida has claimed multiple targets in 2026 that have not confirmed the intrusion or assessed the exfiltrated scope; the leak-site claim is not the same as a confirmed breach. Stuttgart has not issued a public breach confirmation as of 20 May; the Landeshauptstadt website remained operational, suggesting the attack may be limited to administrative systems rather than service-delivery infrastructure.

Key tension: Stuttgart hosts the global headquarters of Porsche and Mercedes-Benz, both of whom use Stuttgart city planning, permit, and supplier contracting systems in their day-to-day German operations. A confirmed breach of city records would require both OEMs to assess whether vendor data, planning documents, or supplier contacts in the city database affect their own supply-chain risk posture.

Sources:DeXpose

Mentions:Landeshauptstadt Stuttgart →Baden-Württemberg →Germany →European Union →NIS2 →ENISA →Mercedes-Benz →Porsche →Berlin →European Commission →Vice Society →Rhysida →

First Reported In

Update #4 · AI joins the breach column on both sides

DeXpose· 20 May 2026

Read original →

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.