A ransomware attack by the Interlock gang disrupted large parts of St. Paul’s city government, stealing 43 gigabytes of data, primarily concerning government employees. The attack crippled critical services, including online utility payments, library Wi-Fi, and business licensing, forcing manual processes. The city refused to pay the ransom, leading to a system-wide reset of passwords and devices. The National Guard was activated to assist in recovery. The attack also involved hackers targeting residents with fake invoices, further complicating the situation.
Source: https://therecord.media/ransomware-gang-behind-minnesota-attack
TPRM report: https://www.rankiteo.com/company/city-of-saint-paul
"id": "cit216081225",
"linkid": "city-of-saint-paul",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '300,000 residents',
'industry': 'Public Sector',
'location': 'St. Paul, Minnesota, USA',
'name': 'St. Paul City Government',
'type': 'Government'}],
'customer_advisories': 'Alternative phone numbers and emails provided for '
'residents to contact.',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Government employee data'},
'date_publicly_disclosed': '2024-07-29',
'description': 'A ransomware gang, Interlock, claimed to have carried out a '
'cyberattack disrupting large parts of St. Paul’s city '
'government. The attack resulted in the theft of 43 gigabytes '
'of data and significant disruption to city services.',
'impact': {'brand_reputation_impact': 'Negative',
'data_compromised': '43 gigabytes',
'downtime': 'Weeks',
'operational_impact': 'Significant disruption to city services',
'systems_affected': ['City servers',
'Devices',
'Online payment portals',
'Library services']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The magnitude and sophistication of cyberattacks have '
'increased significantly, requiring all institutions to '
'enhance their cybersecurity protocols.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': ['Manual reset of passwords',
'Upgraded cybersecurity '
'software']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes',
'ransom_paid': 'No',
'ransomware_strain': 'Interlock'},
'references': [{'source': 'Local news outlets'}, {'source': 'FBI Advisory'}],
'response': {'communication_strategy': ['Press conferences',
'Public advisories'],
'containment_measures': ['Manual reset of passwords',
'Upgraded cybersecurity software'],
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'FBI',
'recovery_measures': ['Bringing systems back online'],
'remediation_measures': ['Manual reset of every city employee’s '
'passwords',
'Upgraded cybersecurity software on all '
'devices and servers'],
'third_party_assistance': 'National Guard'},
'stakeholder_advisories': 'Residents advised not to click on suspicious links '
'or email attachments.',
'threat_actor': 'Interlock Ransomware Gang',
'title': 'Ransomware Attack on St. Paul City Government',
'type': 'Ransomware Attack'}