The Saint Paul Cyberattack: A Case Study in Municipal Cybersecurity

The cyberattack on Saint Paul, Minnesota, orchestrated by the notorious Interlock ransomware gang, has highlighted the vulnerabilities in municipal cybersecurity defenses. Detected on July 24, 2025, the attack prompted immediate action from city officials who shut down computer networks to contain the breach. This swift response was crucial in mitigating further damage (Comparitech). The severity of the situation led to the activation of the National Guard, underscoring the critical nature of the attack and the need for state-level intervention (BleepingComputer). This incident serves as a stark reminder of the growing threat posed by ransomware gangs, which have increasingly targeted public infrastructure and services.

The Saint Paul Cyberattack: Timeline and Impact

Initial Detection and Response

The cyberattack on Saint Paul, Minnesota, was first detected on July 24, 2025. City information security staff promptly responded by shutting down many of the city’s computer networks to prevent the spread of the attack and to assess the extent of the breach. This immediate action was crucial in containing the damage and preserving sensitive data. On July 25, 2025, the city confirmed the attack as a ransomware incident orchestrated by the Interlock gang (source).

Activation of the National Guard

In response to the severity of the cyberattack, Minnesota Governor Tim Walz activated the National Guard on July 29, 2025. This decision was made to provide cyber protection support as the attack exceeded the city’s incident response capacity. The National Guard’s involvement highlights the critical nature of the attack and the need for state-level intervention to restore digital services and critical systems (source).

Impact on City Services

The cyberattack had a significant impact on various city services. Online payments were rendered unavailable, and no late fees were assessed during this period. Additionally, services in libraries and recreation centers were temporarily disrupted. The city’s decision to shut down its systems was necessary to prevent further damage, but it resulted in limited access to essential services for residents (source).

Data Compromise and Ransom Demand

The Interlock ransomware gang claimed responsibility for the attack, stating that they had stolen over 66,000 files or 43 GB worth of data from the city. Despite this, the city refused to pay the ransom demand. The gang subsequently added the City of Saint Paul to its dark web portal and published some of the stolen data on their leak site. The stolen data included sensitive information, but city officials confirmed that residents’ personal or financial information was not affected (source).

Ongoing Investigation and Recovery Efforts

The city of Saint Paul is actively working with local, state, and federal partners to investigate the cyberattack and restore full system functionality. The recovery process involves resetting passwords and reestablishing accounts for approximately 3,500 city employees. The city has not provided an estimated timeline for when the recovery process will be complete, but efforts are ongoing to bring systems back online and ensure the security of sensitive data (source).

Broader Implications and Future Preparedness

The Saint Paul cyberattack underscores the growing threat of ransomware attacks on critical infrastructure. The Interlock gang, known for targeting healthcare organizations and large corporations, has demonstrated its capability to disrupt municipal services. The attack on Saint Paul serves as a wake-up call for cities and organizations to bolster their cybersecurity measures and prepare for potential future attacks. The federal government’s Cybersecurity and Infrastructure Security Agency (CISA) had previously issued warnings about increased Interlock ransomware activity, emphasizing the need for vigilance and proactive defense strategies (source).

Final Thoughts

The Saint Paul cyberattack serves as a wake-up call for cities and organizations worldwide to bolster their cybersecurity measures. The refusal to pay the ransom, despite the Interlock gang’s threats and data leaks, highlights the city’s resilience and commitment to protecting sensitive information (BleepingComputer). As the city continues its recovery efforts, the broader implications of this attack emphasize the need for enhanced preparedness and proactive defense strategies against such threats. The involvement of the National Guard and collaboration with federal agencies illustrate the importance of a coordinated response to cyber threats (KSTP).

References

• Comparitech. (2025). Ransomware gang takes credit for St. Paul cyber attack, city refuses to pay. https://www.comparitech.com/news/ransomware-gang-takes-credit-for-st-paul-cyber-attack-city-refuses-to-pay/
• BleepingComputer. (2025). Saint Paul cyberattack linked to Interlock ransomware gang. https://www.bleepingcomputer.com/news/security/saint-paul-cyberattack-linked-to-interlock-ransomware-gang/
• TwinCities. (2025). Cyberattackers leak parks and rec data after St. Paul refuses to pay ransom. https://www.twincities.com/2025/08/11/cyberattackers-leak-parks-and-rec-data-after-st-paul-refuses-to-pay-ransom/
• KSTP. (2025). 3500 St. Paul city employees begin password reset process, city confirms cyber attack was ransomware. https://kstp.com/kstp-news/top-news/3500-st-paul-city-employees-begin-password-reset-process-city-confirms-cyber-attack-was-ransomware/