What Happened During St Paul Cyber Attack? How did the City Recover from it?

Introduction

On July 25, 2025, St. Paul, Minnesota, suffered a digital crisis. Initially, it looked like a few irregular system alerts. In reality, it was a coordinated ransomware attack by the notorious Interlock gang. This gang has been on the radar of federal investigators for quite some time. The St Paul cyber attack forced the city to shut down its networks and suspend online services. People switched to paper-based operations to prevent further damage.

St. Paul has an interconnected digital system that manages everything, from public safety to utility billing. The ransomware attack severely affected all those systems. Online payment portals stopped working, and email servers became inaccessible. As a result, the daily operations of the city came to a standstill. The local government took proactive measures to overcome the attack without paying a ransom.

Let’s find out what actually happened that day, how the city tackled the situation, and how it recovered from it. There are surely some lessons to learn from this attack, which we will also discuss in this blog.

How St Paul Cyber Attack Started

It all started quietly, with no immediate signs of disruption. St. Paul’s IT teams noticed unusual activity across their network in late July 2025. Unusual data transfers and unexpected system slowdowns raised concerns among the IT teams. Unknown sources made attempts to access the systems. By July 25, it became clear that this wasn’t any system glitch, but a cyberattack.

After a few days, investigators confirmed that the city had fallen victim to a ransomware attack carried out by Interlock Ransomware Group. Interlock operates as a ransomware-as-a-service (RaaS) platform. This means they lease their malware tools to affiliates who carry out attacks in exchange for a share of the ransom. The group had already been on the FBI’s radar for targeting critical infrastructure, including schools and municipal networks across the U.S.

It’s not clear how the attackers gained access to the city’s IT network, but experts believe the first intrusion occurred around July 20. According to them, attackers used a remote access trojan (SystemBC RAT) to steal credentials and prepare the ransomware payload.

Once they gained access to the systems, the malware encrypted a large portion of the city’s network. Employees were locked out of internal systems. The city’s authorities responded quickly and shut down its digital infrastructure on July 28. This included email servers, file storage systems, and online payment portals. This impacted daily operations but prevented deeper network compromise.

As the situation unfolded, the local government declared a state of emergency on July 29. The Minnesota National Guard’s Cyber Protection Team was called up to assist with containment and investigation. Federal agencies, such as the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), were also notified to support forensic analysis and threat mitigation efforts.

The Extent of the Damage

Initially, It first appeared to be a normal IT issue, but it quickly spiraled into a citywide digital shutdown that affected multiple departments and public services. Almost all core systems were taken offline as a precaution. Departments that relied on these systems switched to manual processes to maintain essential functions. In some departments, staff began paper-based documentation, which kept things running, but at an extremely slow pace.

All the online payment portals ceased to work. To avoid further complications, officials announced the temporary suspension of late fees for all bills. Services like library Wi-Fi, public internet terminals, and printing services remained unavailable for weeks.

The Interlock Ransomware Group posted evidence of stolen data on its dark web leak site. The group claimed to have stolen 43 GB of data from St. Paul’s network, which was refuted by the city’s officials. They also claimed to have stolen 43 GB of data from St. Paul’s network, a claim refuted by the city’s officials. No payment records or Social Security numbers were compromised, as they were hosted on secure, cloud-based platforms.

Despite these reassurances, the public was seriously concerned about the safety of their data and its potential misuse. The local government issued multiple advisories, urging residents to be cautious about fraudulent emails or invoices posing as city communications.

The impact extended beyond digital services, affecting payroll processing and record management as well. The IT department had to reset numerous passwords and replace compromised systems to eliminate any malware. They also set up temporary workstations to allow staff to continue their work while existing systems were being repaired.

Nobody knows the exact cost of the attack, but cybersecurity experts estimate it could have easily reached between $10 and $20 million. The effects of the attack were visible in early August as well, which shows how a single ransomware event can disrupt the entire digital network for a long time.

St. Paul’s Response and Recovery Efforts

City officials responded quickly to the attack. They immediately took everything offline to avoid the spread of malware and preserve the clean backups. This allowed them to identify compromised segments of the network. The local government also deployed the Minnesota National Guard’s Cyber Protection Team to secure critical infrastructure and analyze forensic evidence. Their combined effort was called ‘Operation Secure St. Paul,’ which also became the epicenter for incident response, recovery, and coordination between city departments and state cybersecurity experts.

Here’s what the city did in response to the cyberattack:

• Ensure functioning of essential services: The most important task for the city’s officials was to ensure that all essential services were functional. For that, departments had to make adjustments, such as switching to manual operations, handling billing offline, and coordinating through temporary communication channels.
• Mass password reset: The local government asked every employee to change their credentials to reduce the risk of reused or compromised passwords. They also set up a temporary command center where employees received new devices to reset their accounts. Employees rejoined the network once their identities were verified.
• Regular public communication: The city leadership maintained regular communication with the public of St. Paul to maintain transparency, reduce confusion, and keep public confidence during the most uncertain days of the incident.
• Refused to pay the ransom: The city took a bold step by not paying the ransom demanded by the interlock gang. The government thought that paying ransom would give confidence to the attackers to carry out more such attacks in the future. The attackers published the stolen data online. However, it was found that the leaked information mostly consisted of non-sensitive administrative files.
• Streamlined recovery process: After the attack, cybersecurity teams scanned and cleaned all the systems before bringing them back online. Everything was verified before being used again. It was done in phases, starting from city operations, then department-specific software, and finally public-facing portals.
• By early September, most systems had been made operational, although some departments continued to operate with limited functionality.

Key Lessons from the Attack

There are many things to learn from St. Paul cyber attack. It shows how even a secure network can be attacked. It also shows that proper security measures can help reduce the damage. Here are a few important lessons to learn from the entire incident:

1. Fast response can reduce severe damage: Shutting down entire systems may seem extreme, but it’s an important step to prevent deeper compromise. Taking quick action at the start can stop ransomware from spreading and encrypting backups.

2. Transparency builds public trust during crises: City officials kept residents in the loop throughout the incident. They kept residents updated about affected systems and warned them about possible phishing attempts. Such small steps can help authorities gain people’s trust and prevent panic.

3. Backups and segmentation make recovery possible: St. Paul had off-network backups and properly segmented systems, which allowed them to resume operations quickly after the attack. They also ensured that emergency services were hosted separately to keep them operational.

4. Ransom payments don’t guarantee recovery: St. Paul took a firm stance of not paying the ransom, which otherwise would have set a bad precedent. Paying cybercriminals doesn’t guarantee data restoration or protection against future attacks. Since the attackers didn't receive any ransom, they leaked the data on the dark web. But investigators revealed that the data didn't include anything significant.

5. Human readiness matters as much as technology: Strategies like resetting passwords or processing payroll manually made a difference in recovery. So, organizations must train their staff and conduct phishing drills. They should also use strategies such as multi-factor authentication and role-based access controls to improve the organization’s overall security posture.

6. Improving Security After the Attack: After the crisis, the local government launched “Operation Secure St. Paul” to review cybersecurity policies and modernize its infrastructure.

Conclusion

Incidents like the St. Paul cyberattack serve as a reminder that even well-managed city networks can be vulnerable to ransomware groups. However, with proactive security measures, quick incident response plans, and clear communication, damages can be reduced and recovery can be done much faster. SafeAeon provides these services as part of its ransomware protection, allowing organizations that lack optimal security measures to connect with our security team and close existing security gaps for comprehensive protection.