The Rhysida ransomware gang has claimed responsibility for infiltrating the IT systems of Stuttgart, the capital of Germany's Baden-Württemberg state, and exfiltrating what it describes as "exclusive, unique, and impressive" municipal data. The group has launched a seven-day countdown on its darknet leak site and is demanding 5 Bitcoin, approximately 333,000 Euros at current exchange rates. Stuttgart officials have confirmed they are examining the claims alongside relevant authorities, but say they currently have no indications of a confirmed cyber incident.
What Happened
Rhysida posted Stuttgart to its darknet extortion portal with a standard countdown auction format, listing the stolen data for single-buyer sale at 5 BTC. The leak page includes heavily downscaled preview images of scanned documents, invoices, and faxes purportedly taken from Stuttgart's systems, though their scope and sensitivity cannot be determined from the thumbnails. The gang promises exclusive ownership to the buyer, framing the sale as a one-time transaction rather than a public dump.
When contacted, a spokesperson for the state capital was reserved, stating that the published information is being reviewed with responsible authorities and that no further details could be shared pending the investigation. Notably, Stuttgart's public-facing services appear unaffected: the city website remains accessible, communications channels are operational, and there are no reports of file encryption on internal systems, marking a departure from Rhysida's earlier double-extortion playbook.
What Was Taken
Based on the preview material posted to the leak site, the allegedly stolen data appears to include scanned administrative documents, invoices, and faxes, suggesting access to back-office document workflows rather than a wholesale exfiltration of citizen-facing databases. Total volume has not been disclosed by either Rhysida or city officials. Given Stuttgart's role as a state capital, plausible exposure could include procurement records, internal correspondence, employee records, contractor invoices, and potentially personal data of residents who interact with municipal services. Until forensic analysis confirms scope, the impact assessment remains preliminary.
Why It Matters
The Stuttgart claim continues a sustained pattern of Rhysida targeting public-sector and civic institutions, following high-profile victims including the British Library in 2023 and the German aid organization Welthungerhilfe in 2025. The relatively modest 5 BTC demand, one quarter of the 20 BTC sought from Welthungerhilfe, may reflect the gang's assessment of the data's resale value or a calibrated pressure tactic rather than evidence of a limited breach. The apparent absence of encryption signals a continued industry shift toward pure data-theft extortion, which sidesteps the operational disruption that triggers mandatory disclosures and law enforcement engagement, while still leveraging reputational and regulatory pressure. For German municipalities, the incident reinforces that data exfiltration alone, without service interruption, can constitute a serious incident under GDPR and state-level reporting obligations.
The Attack Technique
Initial access vector for the Stuttgart intrusion has not been publicly disclosed. Historically, Rhysida operators have leveraged phishing campaigns, valid credentials purchased from initial access brokers, and exploitation of exposed remote services including VPN appliances and RDP. Once inside, the group has been observed using Cobalt Strike, PsExec, and living-off-the-land binaries for lateral movement, with PowerShell-based exfiltration tools staging data prior to deployment of their ransomware payload. In the British Library case, Rhysida's encryption implementation contained flaws that allowed South Korean researchers at KISA to release a free decryptor, a weakness that may partly explain the group's pivot toward exfiltration-only operations in more recent incidents.
What Organizations Should Do
- Hunt for Rhysida indicators including unusual PsExec activity, Cobalt Strike beacons, and outbound transfers to known data-staging infrastructure; review logs for the past 90 days even absent obvious symptoms.
- Audit external attack surface: enforce MFA on all VPN, RDP, and webmail entry points, and verify that perimeter devices are patched against known exploited vulnerabilities listed by CISA and BSI.
- Segment back-office document repositories from general user networks, and apply data loss prevention controls to detect large-scale outbound transfers of scanned documents and PDFs.
- Validate offline, immutable backups and rehearse exfiltration-only incident response, which differs materially from encryption-driven response in its emphasis on legal, regulatory, and communications workflows.
- Brief executives and communications teams on extortion-site monitoring so that public-facing statements can be prepared before leak-site disclosure, not after.
- Review supplier and contractor invoice flows for credential reuse and shared mailbox exposure, given that previewed Stuttgart data appears to include invoice and fax material commonly handled outside hardened systems.
Sources: Cyber gang Rhysida claims data theft from Stuttgart city | heise online