Minnesota City of St. Paul Continues Ransomware Response | #ransomware | #cybercrime

See Also: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Defense Strategy

Nearly three weeks after ransomware hackers attacked its systems, the state capital city’s response appears to be progressing relatively quickly. Mayor Melvin Carter said the city will not pay a ransom, and that it’s restoring data from backups and working around the clock to get back up and running. The FBI, U.S. Department of Homeland Security and the state National Guard are assisting (see: Minnesota Activates National Guard Over St. Paul Cyberattack).

“We are doing what I lovingly refer to as a grand control-alt-delete of all our city systems,” Carter told reporters on Monday. That has included installing more advanced security tools so far on over 90% of all city systems and running a central location at which all city employees will reset their passwords and submit their work-issued devices for cybersecurity inspection.

The website for the city which has more than 300,000 residents, says some internal systems and online services still remain unavailable, although “public safety and critical infrastructure systems remain fully operational,” as do emergency services. “Our teams are working closely with local, state, and federal partners to resolve the situation and restore full functionality,” it says.

On Monday, the Interlock ransomware group listed the city on its dark web data leak blog, claiming it as a victim. The criminal group also leaked stolen city information, which it said comprised 43 gigabytes of stolen data, encompassing 66,460 files and 7,898 folders.

The mayor confirmed that the leaked data appeared to be legitimate and said it was stolen from a city parks and recreation department server and appeared to mostly pertain to city employees, rather than residents. He said the data appeared to be non-critical. “These are not core city systems like payroll, permitting or licensing,” Carter said. The city said it’s continued to pay all employees on time, although it’s having to process its payroll manually.

Whether the extortionists have anything further to leak – officials said city systems collectively store about 153 terabytes of data – isn’t clear. “While the scope of what they published against us is far smaller than what they’ve accomplished elsewhere, the fact remains, someone was inside our systems, and once that happens, there’s no way to guarantee that they could not have accessed more,” Carter said.

The city detected the unfolding attack on July 25 and disabled numerous systems. As part of the response, Carter issued an emergency order requesting support from Gov. Tim Walz, who issued an executive order activating the Minnesota National Guard cyber protection teams, which have been assisting the city.

State of Emergency Extended

On Aug. 1, the St. Paul City Council voted unanimously to extend for 90 days the city state of emergency Carter declared, effectively immediately.

“By extending the emergency declaration, we’re ensuring that the city can continue to access the external support and coordination necessary to respond effectively,” said Council President Rebecca Noecker. “Our deepest thanks go to the staff, emergency management teams and cybersecurity experts working tirelessly to resolve this issue and safeguard our systems.”

As part of what officials have dubbed “Operation Secure St. Paul,” the city on Sunday began sending employees to a local arena, the Roy Wilkins Auditorium, to reset their passwords.

“The recommendation from all the cybersecurity experts is this physical in-person reset is the most secure option to take,” Mary Gleich-Matthews, the city’s deputy CIO, told Fox affiliate KMSP.

“So we’re verifying the identity of our employees to make sure they are who they say they are, and then we just really wanted to have that physical kind of moment to make sure that their devices were safe, that they understood what was going on, how we were protecting them,” she said.

The center sports 80 laptops, with that number of employees being guided through the password-reset process every 30 minutes, after which the city’s IT team reviewed any take-home devices issued to employees, including updating the security software they run, KMSP reported.

By Monday, the city said 2,000 out of 3,500 employees successfully reset their passwords.

Interlock Attacks

St. Paul is one of multiple victims currently being claimed by Interlock. The ransomware group’s data-leak site on Wednesday listed more than 50 victims. Ransomware operations typically list a subset of their claimed, non-paying victims, to raise their public profile and pressure victims current and future into paying (see: Ransomware Groups’ Data Leak Blogs Lie: Stop Trusting Them).

The U.S. Cybersecurity and Infrastructure Security Agency and FBI issued July 22 a joint advisory about Interlock, which they said emerged around September 2024 and has been tied to numerous attacks that have encrypted Windows and Linux environments, including virtual machines.

The FBI said it’s seen the threat actors “obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups,” as well as using ClickFix – aka ClearFake or “paste and run” – social engineering tactics to gain initial access to systems, after which attackers “use various methods for discovery, credential access and lateral movement to spread to other systems on the network.”

Attackers tied to Interlock have been increasing the pace of their operations, cybersecurity firm Halcyon reported on July 23. Like many ransomware groups, Interlock is run as a service business, with affiliates who use the operation’s ransomware receiving 70% to 80% of any ransom paid, with the core team keeping the rest, it said.

The ransomware-as-a-service group’s tactics often involve “fake software updates, stolen credentials and cloud exfiltration to pressure victims into paying,” said cybersecurity firm Cyble.