Rhysida Ransomware Group Targets STELIA Aerospace North America in $2.07 Million Extortion Attack
The ransomware group Rhysida has claimed responsibility for a cyberattack on STELIA Aerospace North America Inc., a subsidiary of Airbus Atlantic, demanding 27 bitcoin (approximately $2.07 million) in exchange for 10 TB of stolen data. The group set a seven-day deadline before releasing the data, which includes sensitive documents such as identity records, employee benefit forms, technical drawings, and customer data from major defense and aerospace partners, including Lockheed Martin, Northrop Grumman, Boeing, Airbus Atlantic, and Bombardier.
STELIA confirmed the incident in a statement, acknowledging the detection of a cybersecurity breach in its North American IT environment and emphasizing that the attack was contained to its Nova Scotia-based systems, with no impact on the broader Airbus Atlantic network. The company activated cyber defense protocols, isolated affected systems, and engaged external cybersecurity experts to conduct a forensic investigation. Authorities and stakeholders have been notified, though further details remain undisclosed to protect the ongoing probe.
Rhysida, which emerged in May 2023 and is suspected to have ties to the Vice Society ransomware group, has been linked to 266 attacks, with 110 confirmed and nearly 6 million records breached. The group’s average ransom demand is $1.08 million, making STELIA’s extortion demand nearly double the norm. This marks Rhysida’s second confirmed attack in 2026, following an unsuccessful $392,000 demand against German tech firm Elabs AG in January.
Canada has been a frequent target, with Rhysida alone claiming 22 attacks on Canadian organizations since its inception, six of which have been confirmed including Delmar International, Montréal-Nord, and Pembina Trails School Division. Overall, ransomware gangs have made 133 claims against Canadian entities in 2026, with manufacturers like STELIA accounting for nearly 20% of targets, reflecting the sector’s vulnerability to operational disruptions.
STELIA Aerospace North America, based in Lunenburg, Nova Scotia, specializes in aerospace and defense composites, serving markets across North America and the Five Eyes alliance. The attack underscores the growing threat ransomware poses to critical supply chains and defense contractors.
Airbus Atlantic TPRM report: https://www.rankiteo.com/company/stelia-aerospace
STELIA Aerospace North America Inc. TPRM report: https://www.rankiteo.com/company/stelia-northamerica
"id": "steste1777394500",
"linkid": "stelia-aerospace, stelia-northamerica",
"type": "Ransomware",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Major defense and aerospace '
'partners (Lockheed Martin, '
'Northrop Grumman, Boeing, '
'Airbus Atlantic, Bombardier)',
'industry': 'Aerospace and Defense Composites',
'location': 'Lunenburg, Nova Scotia, Canada',
'name': 'STELIA Aerospace North America Inc.',
'type': 'Subsidiary'}],
'data_breach': {'data_exfiltration': 'Yes (10 TB stolen)',
'personally_identifiable_information': 'Yes (identity '
'records)',
'sensitivity_of_data': 'High (defense and aerospace-related)',
'type_of_data_compromised': ['Identity records',
'Employee benefit forms',
'Technical drawings',
'Customer data']},
'description': 'The ransomware group Rhysida has claimed responsibility for a '
'cyberattack on STELIA Aerospace North America Inc., a '
'subsidiary of Airbus Atlantic, demanding 27 bitcoin '
'(approximately $2.07 million) in exchange for 10 TB of stolen '
'data. The group set a seven-day deadline before releasing the '
'data, which includes sensitive documents such as identity '
'records, employee benefit forms, technical drawings, and '
'customer data from major defense and aerospace partners, '
'including Lockheed Martin, Northrop Grumman, Boeing, Airbus '
'Atlantic, and Bombardier.',
'impact': {'data_compromised': '10 TB of stolen data',
'financial_loss': '$2.07 million (ransom demanded)',
'identity_theft_risk': 'High (identity records exposed)',
'operational_impact': 'Contained to affected systems; no impact on '
'broader Airbus Atlantic network',
'systems_affected': 'North American IT environment (Nova '
'Scotia-based systems)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (extortion)',
'ransomware': {'data_exfiltration': 'Yes (10 TB stolen)',
'ransom_demanded': '$2.07 million (27 bitcoin)',
'ransomware_strain': 'Rhysida'},
'references': [{'source': 'Cybersecurity news reports'}],
'regulatory_compliance': {'regulatory_notifications': 'Yes (stakeholders '
'notified)'},
'response': {'communication_strategy': 'Limited disclosure to protect ongoing '
'investigation',
'containment_measures': 'Isolated affected systems',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes (authorities notified)',
'third_party_assistance': 'External cybersecurity experts'},
'stakeholder_advisories': 'Yes (stakeholders notified)',
'threat_actor': 'Rhysida Ransomware Group',
'title': 'Rhysida Ransomware Group Targets STELIA Aerospace North America in '
'$2.07 Million Extortion Attack',
'type': 'Ransomware'}