Rhysida claims Landeshauptstadt Stuttgart (Baden-Württemberg state capital) municipal-data theft for 5 BTC; city denies confirmed incident

The Rhysida ransomware-as-a-service group listed Landeshauptstadt Stuttgart — the Baden-Württemberg state capital (~600,000 residents) — on its dark-web leak site in mid-May 2026 (DeXpose dates the listing to 2026-05-19; Heise (2026-05-21) covers the leak-site listing and Stuttgart's response without anchoring the original posting date), demanding 5 Bitcoin (~€333,000) for exclusive access to allegedly stolen documents and publishing heavily downscaled previews of scanned invoices and faxes attributed to Stuttgart's administrative systems (Heise Online (EN), 2026-05-21 · DeXpose, 2026-05-20). The city's response is measured: published material is "currently being examined together with the responsible authorities" and Stuttgart has "no indications of a cyber incident at this time", with further comment declined while investigation continues. No vulnerability or initial access vector has been disclosed; the claim appears to be data-exfiltration-only with city portals and operational systems unaffected, consistent with Rhysida's pattern since the British Library (2023) and the German charity Welthungerhilfe (2025).

Defender vantage with the city's denial in mind: confidence in the claim is MEDIUM — the only corroboration is press coverage of the leak-site listing itself. Hunt rather than respond: Rhysida tends to gain initial access through phishing (T1566) or external VPN exploitation (T1133), executes living-off-the-land via cmd.exe / PowerShell with scheduled-task persistence, and stages data in unusual directories before exfiltration (T1074.001). DACH municipal SOCs should treat the listing as a forcing function to re-check VPN patch levels, password-spray detection on the on-prem identity edge, and any unexplained outbound bursts from file servers and DFS shares since 2026-05-10. South Korean researchers' 2024 free Rhysida decryptor exploited an encryption flaw that the group has since reworked; no current decryptor is publicly known for 2026 variants if encryption does follow.

Why it matters to us: German municipal targeting bleeds into Swiss DACH context (shared partner networks, fediplomatic exchanges); the Stuttgart pattern — data theft only, leak-site posting, city denies — is increasingly common and the right response is hunt-without-confirming, not wait-for-a-victim-statement.

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on 2026-05-19, concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure (The Record, 2026-05-19). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities (Microsoft Threat Intelligence). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: Vanilla Tempest (deploying Rhysida ransomware via Microsoft-signed MSTeamsSetup.exe carrying the Oyster/Broomstick backdoor), Storm-0501, Storm-2561, Storm-0249, and ransomware families Rhysida, INC, Qilin, Akira, plus commodity loaders Oyster, Lumma Stealer, and Vidar. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, France, India, and China.

Why it matters to us: European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn cmd.exe / powershell.exe / rundll32 / regsvr32 without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (Add-AzKeyVaultCertificate).