St. Paul Cyber Attack – Timeline, Response and Recovery Details
St. Paul, Minnesota’s capital city, faced a significant cybersecurity crisis in late July 2025 when ransomware disrupted core municipal operations. The attack, attributed to a group known as Interlock, forced emergency declarations, National Guard involvement, and a multi-week recovery effort that affected thousands of city employees and numerous public services.
The incident began on July 25, 2025, when suspicious activity was detected on city backup servers. Within days, the attack had spread to internal networks, payment portals, and public Wi-Fi systems, prompting an unprecedented response from city leadership and state authorities. Mayor Melvin Carter described the attack as “deliberate, coordinated” and the work of “money-driven” actors.
This article provides a comprehensive breakdown of what happened, how the city responded, and the current status of recovery efforts based on official statements, cybersecurity analysis, and documented timelines.
What Happened in the St. Paul Cyber Attack?
The St. Paul cyber attack represents one of the most significant municipal ransomware incidents in Minnesota history. On July 25, 2025, city IT security personnel detected unusual activity on backup servers, marking the initial intrusion point for what would become a weeks-long crisis. The attack quickly escalated, disrupting internal networks, online payment systems, and public Wi-Fi infrastructure across the capital city.
Cybersecurity Incident
July 25, 2025
Recovery Complete
High
Following the detection, the city’s IT team worked to assess the scope of the intrusion. By July 28, officials determined that containing the threat required shutting down all networks entirely—a drastic measure that halted many public services but prevented further spread of the malware. Three days later, Mayor Carter declared a local state of emergency in response to what city officials confirmed was a criminal cyberattack.
- Ransomware encrypted critical city systems, forcing manual workarounds for basic operations
- Approximately 3,500 city employees required system access restoration through password resets
- The city refused to pay the ransom, following guidance from the FBI and National Guard cybersecurity specialists
- Data exfiltration occurred from Parks and Recreation network drives, totaling 43 GB of information
- Recovery relied on clean backups dating to July 25, before the attack began
- Minnesota National Guard’s 177th Cyber Protection Team provided assistance for nearly three weeks
| Fact | Details |
|---|---|
| Attack Start Date | July 25, 2025 |
| Attack Method | Ransomware (Interlock variant) |
| Affected Services | Internal networks, payment portals, public Wi-Fi |
| Data Exposed | 43 GB (66,460 files, 7,898 folders) |
| Employees Affected | Approximately 3,500 |
| Response Time | Emergency declared July 29, 2025 |
| Ransom Paid | No |
| Recovery Method | Clean backups from July 25, 2025 |
Timeline of the St. Paul Cyber Attack
Understanding the progression of the attack helps clarify how city officials responded and how long recovery took. The following chronological record draws from official city statements, cybersecurity analyses, and news reports.
- July 25, 2025 — Suspicious activity detected on city backup servers; attack begins, disrupting internal networks, online payments, and public Wi-Fi.
- July 28, 2025 — City shuts down all networks to contain the damage and prevent further spread.
- July 29, 2025 — Mayor Melvin Carter declares a local state of emergency and confirms the incident is a criminal cyberattack. Governor Tim Walz activates the Minnesota National Guard’s 177th Cyber Protection Team.
- August 8, 2025 — Payroll processed manually using borrowed computers from neighboring jurisdictions and spreadsheets.
- August 11, 2025 — City officially confirms ransomware involvement. The Interlock group claims responsibility and demands an undisclosed ransom. After the city refuses payment, the group releases 43 GB of stolen data from Parks and Recreation network drives.
- August 17, 2025 — National Guard assistance concludes after nearly three weeks of support.
- August 25, 2025 — Email services restored in coordination with Ramsey County.
- Post-August 2025 — Approximately 3,500 city employees undergo password resets and data scrubbing. Systems continue restoration using clean backups from July 25. Ongoing forensic scans conducted server-by-server.
City officials have stated the immediate threat has been eradicated, but monitoring efforts continue. A city spokesperson noted that St. Paul is “not out of the woods yet,” indicating that full security verification remains ongoing.
What Services Were Affected?
The ransomware attack disrupted multiple layers of city operations. Internal networks and computer systems experienced the most significant impact, rendering standard workflows unavailable for thousands of employees. The city had to improvise basic administrative functions during the recovery period.
Core Service Disruptions
Online payment portals, which residents typically use for utility bills, permits, and other municipal fees, became inaccessible during the peak of the crisis. Public Wi-Fi in city-owned facilities was also disabled as a precautionary measure. The Parks and Recreation network drive—containing files for the department’s operations—suffered data exfiltration, with approximately 43 GB of information stolen.
Employee systems required comprehensive remediation. Roughly 3,500 city workers needed their access credentials reset and their workstations thoroughly scanned before returning to normal operations. The city borrowed computer equipment from neighboring municipalities including Bloomington, Eden Prairie, Elk River, Minneapolis, and Sherburne County to maintain essential functions.
Public schools in St. Paul were not among the affected services. Schools were not listed among the disrupted municipal services during the incident, according to available documentation.
Financial and Operational Costs
Financial impacts are expected to reach into the millions of dollars, according to city estimates. This aligns with comparable incidents in other major cities, including attacks on Baltimore and Atlanta, which combined cost more than $17 million in recovery and lost revenue. The manual processing of payroll, borrowed equipment, and extended recovery efforts all contributed to elevated operational costs.
City Response and Recovery Status
St. Paul’s response to the cyber attack followed established protocols for ransomware incidents. City officials, coordinating with federal and state partners, made the decision early to refuse ransom payment. This approach aligned with recommendations from the FBI and National Guard cybersecurity specialists who assisted with the response.
Containment and Eradication
The city’s IT department, bolstered by National Guard specialists, isolated infected systems and began rebuilding infrastructure from clean backups created on July 25, 2025—the day before the attack was discovered. This “trusted foundation,” as one official described it, allowed the city to restore core systems without negotiating with attackers.
The Minnesota National Guard’s 177th Cyber Protection Team provided specialized assistance from July 29 through August 17, 2025. Guard members worked alongside city cybersecurity teams to scan and clean systems server-by-server, ensuring no traces of malware remained before restoring connectivity.
Progress Toward Normalcy
Services returned incrementally. Email coordination with Ramsey County was restored by late August, enabling better communication between departments. Employee workstations underwent mandatory password resets and thorough data scrubbing before users regained full access. Officials have emphasized that monitoring continues as the city works to rebuild credit its cybersecurity posture.
While city officials have stated the immediate threat is eradicated, they have also cautioned that St. Paul remains “not out of the woods yet.” Full security verification is ongoing, and residents should expect continued monitoring and potential notifications as the forensic review identifies affected individuals.
Details on the Attackers and Ransomware Claims
The group claiming responsibility for the St. Paul attack is known as Interlock, a ransomware-as-a-service operation that cybersecurity researchers first identified in September 2024. The group has been characterized as sophisticated, profit-driven, and known to use multiple attack vectors including fake browser updates and security patches.
Interlock Group Profile
Interlock operates as a ransomware-as-a-service model, meaning the core developers lease their malware to affiliates who conduct attacks and share profits. The group primarily targets government agencies and large organizations, with documented attacks against municipalities in Michigan, Indiana, and Scotland before the St. Paul incident.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Interlock on July 22, 2025—just three days before the St. Paul attack began. This warning highlighted the group’s tactics, which include using artificial intelligence to enhance phishing attempts and identifying vulnerable systems.
Ransom Demands and Data Exposure
Following the city’s refusal to pay the ransom, Interlock publicly released 43 gigabytes of stolen data from the Parks and Recreation network drive. The released files totaled 66,460 documents across 7,898 folders. Notably, the group posted the data publicly rather than attempting to sell it to other parties, a tactic that sometimes occurs after ransomware attacks. The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Interlock on July 22, 2025—just three days before the St. Paul attack began, highlighting the group’s tactics, which include using artificial intelligence to enhance phishing attempts and identifying vulnerable systems, and you can learn more about phishing emails at What is a phishing email.
The exact ransom amount demanded has not been publicly disclosed. Interlock has reportedly sought ransoms ranging from $5 million to $30 million in other attacks, according to cybersecurity firm SD Solutions LLC, which has tracked the group’s activities.
What We Know and What Remains Unclear
While extensive information has emerged about the St. Paul cyber attack, certain details remain limited or pending further investigation. The following comparison clarifies the current state of public knowledge.
| Established Information | Information That Remains Unclear |
|---|---|
| Attack began July 25, 2025 | Exact entry point of initial intrusion |
| Interlock group confirmed responsible | Specific ransom amount demanded |
| 43 GB of Parks and Recreation data released | Whether additional data was stolen but not released |
| No ransom paid | Complete list of individuals whose data was exposed |
| 3,500 employees required system resets | Total financial cost of the incident |
| National Guard provided 19 days of assistance | Whether the five other Minnesota entities hit by ransomware in the same period used similar attack methods |
Broader Context: Minnesota’s Cybersecurity Challenges
The St. Paul attack did not occur in isolation. According to analysis from Urban Cyber Defense and reporting by GovTech, St. Paul was one of six Minnesota government bodies hit by ransomware in the year preceding the incident. This wave of attacks prompted state officials to accelerate a “whole-of-state cybersecurity” initiative aimed at improving defenses across all levels of government.
The pattern of targeting municipalities reflects a broader trend in ransomware operations, where attackers identify government agencies as attractive targets due to their critical services, often outdated IT infrastructure, and potential willingness to pay ransoms to restore public services quickly. Interlock’s prior attacks on Michigan, Indiana, and Scotland demonstrate that the St. Paul incident fits within the group’s established targeting strategy.
City officials have committed to transparency throughout the recovery process. Mayor Carter emphasized that the attack was the work of financially motivated criminals rather than any political or ideological agenda. The city maintains a Digital Security Incident Info Hub on its official website, providing residents with updates, timelines, and information about data exposure notifications.
Official Sources and Statements
City leadership has provided multiple public statements since the attack began. Mayor Melvin Carter described the incident as “deliberate, coordinated” and emphasized the city’s commitment to transparency with residents. In video statements shared through the Digital Security Incident Info Hub, Carter has thanked the National Guard and addressed questions about data exposure.
“This was a deliberate, coordinated attack by money-driven actors who sought to disrupt essential city services.”
— Mayor Melvin Carter, St. Paul
Governor Tim Walz’s activation of the National Guard’s cyber team represented an unusual but not unprecedented step for state-level cybersecurity response. The 177th Cyber Protection Team brings specialized capabilities that local governments typically cannot maintain independently.
The city continues to issue notifications as its forensic investigation identifies individuals whose personal information may have been compromised. Affected residents are advised to monitor official communications from the city and consider identity protection measures as appropriate.
Summary
The 2025 cyber attack on St. Paul, Minnesota’s capital city, represents a significant case study in municipal ransomware response. Starting July 25, 2025, the Interlock ransomware group infiltrated city systems, disrupted core operations for weeks, and ultimately released stolen data when officials refused to pay the ransom. The city’s decision to rebuild from clean backups, combined with assistance from the Minnesota National Guard and federal partners, enabled a return to normal operations by late August. However, recovery costs are expected to reach millions of dollars, and ongoing forensic work continues to determine the full scope of data exposure. The incident has underscored the vulnerability of municipal IT infrastructure and accelerated state-level efforts to improve cybersecurity coordination across Minnesota.
Frequently Asked Questions
Are there similar cyber attacks in Minnesota?
St. Paul was one of six Minnesota government bodies hit by ransomware in the year preceding this incident, according to analysis from cybersecurity researchers and state reporting.
Was ransom paid in the St. Paul cyber attack?
No. The city refused to pay the ransom following guidance from the FBI and National Guard cybersecurity specialists who assisted with the response.
What data was exposed in the attack?
The attackers released 43 GB of data from Parks and Recreation network drives, totaling 66,460 files across 7,898 folders. This represents a small fraction of the city’s total 153 TB of data.
Were public schools affected by the St. Paul cyber attack?
Public schools were not listed among the disrupted services. Schools operations were not mentioned in documentation of affected municipal services.
How long did the National Guard assist with recovery?
The Minnesota National Guard’s 177th Cyber Protection Team provided assistance from July 29 through August 17, 2025—a period of 19 days.
What is the status of city services now?
Core services have been restored, and the immediate threat has been eradicated according to city officials. However, monitoring continues, and residents may still receive data exposure notifications as the forensic review progresses.
More related posts
Slipping Through My Fingers Lyrics – ABBA Meaning & Chords
Just the Two of Us – Bill Withers and Grover Washington Classic
Dolar A Peso Mexicano – Current Rate and Forecast
Who Invented the Lightbulb – Facts, Myths and Timeline
Best Places to Watch Whales – Top Global Destinations and Seasons
Best South Park Episodes: Fan Favorites, Funniest & Banned Ranked
Chicken Pot Pie Casserole – Easy 45-Min Family Dinner
The Legend of Zelda – Games in Order and Timeline Guide
