The City of St. Paul, Minnesota, suffered a deliberate, coordinated ransomware attack in late July 2025, attributed to the ransomware group Interlock. The attack disrupted critical municipal services, forcing a complete shutdown of information systems, including Wi-Fi in public buildings, library services, and internal networks. Emergency services like 911 remained operational, but over 3,500 employees had to reset credentials in person. The attackers leaked 43 GB of stolen data from multiple files and folders, though the city refused to pay the ransom, opting for backup restoration instead. Recovery prioritized public safety, financial stability, and daily operations, with over 90% of systems upgraded with advanced security tools post-incident. The attack overwhelmed the city’s response capacity, prompting Minnesota Governor Tim Walz to activate the National Guard’s cyber protection unit for support. The incident highlighted vulnerabilities in municipal cybersecurity, including outdated legacy systems and insufficient IT resources, despite no direct evidence of data misuse beyond the leak.
Source: https://www.technewsworld.com/story/ransomware-wave-hits-smbs-and-cities-179920.html
City of Saint Paul cybersecurity rating report: https://www.rankiteo.com/company/city-of-saint-paul
"id": "CIT2662626112525",
"linkid": "city-of-saint-paul",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Residents and public service '
'users',
'industry': 'Public Sector',
'location': 'St. Paul, Minnesota, USA',
'name': 'City of St. Paul, Minnesota',
'size': '3,500 employees',
'type': 'Municipal Government'},
{'industry': 'Education/Public Policy',
'location': 'Washington, D.C., USA (with operations in '
'Minnesota)',
'name': 'Aspen Policy Academy',
'type': 'Nonprofit Policy Initiative'}],
'attack_vector': ['Phishing',
'Ransomware (Interlock strain)',
'Credential targeting'],
'data_breach': {'data_encryption': 'Yes (ransomware encryption likely)',
'data_exfiltration': 'Yes (43 GB leaked by Interlock)',
'personally_identifiable_information': 'Likely (municipal '
'data)',
'sensitivity_of_data': 'High (municipal citizen data; '
'potential PII)',
'type_of_data_compromised': ['Sensitive citizen data (City of '
'St. Paul)',
'Business account credentials '
'(Aspen Policy Academy)']},
'date_detected': '2025-07-25',
'description': 'A deliberate, coordinated digital attack disrupted public '
'services in the City of St. Paul, Minnesota, leading to a '
'complete shutdown of municipal information systems. The '
'attack, attributed to the ransomware group Interlock, '
'resulted in the exfiltration of 43 GB of data. The Aspen '
'Policy Academy also experienced a related phishing incident '
'targeting a business account. Both incidents highlighted '
'vulnerabilities in municipal cybersecurity infrastructure, '
'including limited IT resources, outdated legacy systems, and '
'insufficient staffing. The City of St. Paul refused to pay '
'the ransom and restored systems from backups, while the Aspen '
"Policy Academy's investigation remains ongoing.",
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'public service disruptions and data '
'breach',
'data_compromised': '43 GB (City of St. Paul); 1 business account '
'(Aspen Policy Academy)',
'downtime': 'Ongoing as of late August 2025 (partial restoration '
'in prioritized order: public safety → financial '
'stability → daily operations)',
'identity_theft_risk': 'High (due to sensitive citizen data '
'exposure)',
'operational_impact': ['Complete shutdown of municipal IT systems',
'Wi-Fi outages',
'Library service interruptions',
'Credential resets for 3,500 employees',
'Disruption of internal networks'],
'systems_affected': ['Municipal information systems (City of St. '
'Paul)',
'Wi-Fi in public buildings',
'Library services',
'Internal networks',
'Business account (Aspen Policy Academy)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (43 GB leaked by '
'Interlock)',
'entry_point': 'Phishing (Aspen Policy Academy); '
'likely phishing or credential theft '
'(City of St. Paul)',
'high_value_targets': ['Municipal citizen data '
'(City of St. Paul)',
'Business account (Aspen '
'Policy Academy)']},
'investigation_status': 'Ongoing (Aspen Policy Academy); Recovery phase (City '
'of St. Paul as of late August 2025)',
'lessons_learned': ['SMBs and municipalities are prime targets due to limited '
'cybersecurity resources.',
'Legacy systems and unpatched vulnerabilities increase '
'risk.',
'Public-private partnerships and ISACs can augment '
'defenses.',
'Incident response plans must include clear containment '
'and recovery priorities.',
'Proactive measures (e.g., compartmentalization, '
'patching) are critical.'],
'motivation': 'Financial gain (ransomware), data exfiltration',
'post_incident_analysis': {'corrective_actions': ['Deployment of advanced '
'security tools on >90% of '
'systems (City of St. Paul)',
'Prioritized system '
'restoration with '
'testing/validation',
'Recommendations for '
'public-private '
'partnerships and ISAC '
'participation',
'Emphasis on patching, '
'updates, and network '
'segmentation'],
'root_causes': ['Limited cybersecurity investment '
'and staffing',
'Outdated legacy systems',
'Lack of system '
'compartmentalization',
'Successful phishing/credential '
'theft',
'Insufficient incident response '
'preparedness']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (43 GB)',
'ransom_paid': 'No (City of St. Paul refused to pay)',
'ransomware_strain': 'Interlock'},
'recommendations': ['Adopt enterprise-level cybersecurity solutions tailored '
'for SMBs/municipalities.',
'Invest in talent through fellowship programs or MSP '
'partnerships.',
'Conduct regular infrastructure audits to identify '
'weaknesses.',
'Prioritize system patching and updates.',
'Implement network segmentation to limit lateral '
'movement.',
'Develop and test incident response plans, including '
'legal counsel involvement.',
'Leverage public-private partnerships and ISACs for '
'threat intelligence sharing.'],
'references': [{'source': 'TechNewsWorld'},
{'source': 'Guardz Cybersecurity Report (H1 2025)'},
{'source': 'NCC Group Ransomware Report (Q1 2025)'}],
'response': {'containment_measures': ['Shutdown of municipal information '
'systems',
'Wi-Fi and internal network isolation',
'Credential resets for 3,500 employees'],
'enhanced_monitoring': 'Likely (post-incident security tool '
'deployment)',
'incident_response_plan_activated': 'Yes (City of St. Paul '
'prioritized restoration: '
'public safety → financial '
'stability → daily '
'operations)',
'law_enforcement_notified': 'Yes (FBI involved)',
'network_segmentation': 'Compartmentalization recommended '
'post-incident',
'recovery_measures': ['Prioritized service restoration',
'Installation of advanced security tools '
'on >90% of systems post-incident'],
'remediation_measures': ['Restoration from July 25 backups',
'System testing and validation before '
'reactivation'],
'third_party_assistance': ['Two national cybersecurity firms '
'(unspecified)',
'FBI']},
'threat_actor': 'Interlock (ransomware group)',
'title': 'Cyberattack on the City of St. Paul, Minnesota, and Aspen Policy '
'Academy',
'type': ['Cyberattack', 'Ransomware', 'Phishing'],
'vulnerability_exploited': ['Outdated legacy systems',
'Insufficient IT resources',
'Lack of cybersecurity investment',
'Unpatched systems',
'Limited staffing']}