In late July 2025, the City of St. Paul, Minnesota, suffered a ransomware attack that disrupted critical municipal services, though emergency response and public utilities remained operational. The incident was initially labeled a 'digital security incident' to avoid premature speculation, but it was later confirmed as ransomware. The attack aligns with a rising trend of cyber threats targeting local governments, exploiting vulnerabilities like outdated infrastructure, budget constraints, and understaffed IT teams. While the immediate financial ransom demand was not disclosed, historical cases (e.g., Baltimore’s 2019 RobbinHood attack with $18.2M recovery costs) suggest potential long-term expenses in system restoration, consulting fees, and lost revenue. The attack underscored the need for zero-trust security, pre-planned recovery strategies, and transparent public communication to mitigate operational disruptions and erosion of public trust. No evidence of data exfiltration was explicitly mentioned, but the outage risked delays in non-emergency services like billing, permits, and public records.
Source: https://builtin.com/articles/lessons-cyber-attack-city-government
TPRM report: https://www.rankiteo.com/company/city-of-saint-paul
"id": "cit850081825",
"linkid": "city-of-saint-paul",
"type": "Ransomware",
"date": "6/2019",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'Residents and businesses '
'relying on city services',
'industry': 'Public Administration',
'location': 'St. Paul, MN, USA',
'name': 'City of St. Paul, Minnesota',
'type': 'Local Government'}],
'customer_advisories': ['Public reassurances about operational status of '
'emergency services and utilities'],
'data_breach': {'data_encryption': ['Likely (given ransomware nature)']},
'date_detected': 'Late July 2025',
'date_publicly_disclosed': 'Late July 2025',
'description': 'A ransomware attack disrupted certain city services in St. '
'Paul, MN, in late July 2025. The incident was initially '
"described as a 'digital security incident' to avoid premature "
'speculation. While emergency services and public utilities '
'remained operational, the attack highlighted vulnerabilities '
'in municipal cybersecurity, including tight budgets, outdated '
"infrastructure, and IT staff shortages. The city's response "
'emphasized measured communication, transparency, and '
'coordination with law enforcement. The incident aligns with a '
'broader trend of rising ransomware attacks on local '
'governments, underscoring the need for zero-trust security, '
'recovery planning, and trusted data recovery partnerships.',
'impact': {'brand_reputation_impact': ['Potential erosion of public trust',
'Need for transparent communication to '
'mitigate reputational damage'],
'operational_impact': ['Disruption of non-emergency city services',
'Potential delays in projects due to system '
'outages'],
'systems_affected': ['City services (non-emergency)',
'Potential disruption to billing, permits, or '
'public records']},
'investigation_status': 'Ongoing (as of late July 2025)',
'lessons_learned': ['Importance of measured, transparent communication during '
'incidents',
'Need for pre-established relationships with data '
'recovery partners',
'Value of zero-trust security and segmented networks',
'Critical role of leadership in coordinating response and '
'public messaging',
'Operational costs of disruption extend beyond direct '
'financial losses',
'Public trust is a key asset that can be eroded by poor '
'incident handling'],
'post_incident_analysis': {'corrective_actions': ['Reinforce zero-trust '
'security and network '
'segmentation',
'Test and update incident '
'response and recovery '
'plans',
'Establish pre-incident '
'relationships with data '
'recovery partners',
'Improve public '
'communication strategies '
'for future incidents'],
'root_causes': ['Potential vulnerabilities: tight '
'budgets, outdated infrastructure, '
'IT staff shortages',
'Delayed confirmation of '
'ransomware (initial language '
'avoided speculation)']},
'ransomware': {'data_encryption': ['Confirmed (as part of ransomware '
'attack)']},
'recommendations': ['Fund cybersecurity as essential infrastructure (not '
'discretionary spending)',
'Adopt and test incident response playbooks (e.g., CISA’s '
'frameworks)',
'Train employees regularly on phishing, password hygiene, '
'and attack simulations',
'Implement zero-trust principles (verify explicitly, '
'least-privilege access, continuous monitoring)',
'Maintain offline/immutable backups and test restoration '
'procedures',
'Identify trusted data recovery partners in advance',
'Segment networks to limit blast radius of attacks',
'Enforce multi-factor authentication (MFA) on privileged '
'accounts',
'Keep software/firmware patched and up-to-date',
'Prepare holding statements and designate communications '
'managers pre-incident'],
'references': [{'source': 'Check Point Research (Q1 2025 Ransomware Report)'},
{'source': 'CISA Incident Response Plan Basics',
'url': 'https://www.cisa.gov/resources-tools/services/incident-response'},
{'source': 'Historical municipal ransomware cases (Baltimore '
'2019, Atlanta 2018, Ridgefield Public Schools July '
'2025)'},
{'source': 'CISA #StopRansomware Guidance',
'url': 'https://www.cisa.gov/stopransomware'}],
'response': {'communication_strategy': {'centralized_spokespersons': ['Mayor '
'Melvin '
'Carter',
'Designated '
'communications '
'manager'],
'measured_language': ['Avoided terms '
"like 'breach' "
'or '
"'ransomware' "
'initially',
"Used 'digital "
'security '
"incident' to "
'prevent '
'misinformation'],
'prepared_statements': ['Holding '
'statements '
'aligned with '
'CISA '
'Incident '
'Response '
'Plan Basics'],
'regular_updates': ['Reassured public '
'about '
'operational '
'status of '
'emergency '
'services',
'Shared verified '
'facts only']},
'containment_measures': ['Systems taken offline (if applicable)',
'Centralized communication to avoid '
'misinformation'],
'enhanced_monitoring': ['Recommended as part of '
'resilience-building (post-incident)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': ['Recommended as part of zero-trust '
'principles (post-incident)'],
'recovery_measures': ['Restoration of critical data '
'(prioritized)',
'Potential engagement of trusted data '
'recovery partners'],
'third_party_assistance': ['Law enforcement',
'Potential data recovery partners '
'(pre-established relationship '
'recommended)']},
'stakeholder_advisories': ['Centralized updates from Mayor Melvin Carter and '
'designated spokespeople'],
'title': 'Ransomware Attack on St. Paul, Minnesota (July 2025)',
'type': ['Ransomware', 'Cyber Attack']}