Hackers responsible for a cyberattack that forced St. Paul to shut down its computer systems two weeks ago demanded a ransom from the city, the mayor’s office confirmed this weekend.
But there is no evidence so far that the hackers obtained any data from the city in their attack, according to Jennifer Lor, Mayor Melvin Carter’s press secretary. The city had not previously disclosed whether it had been targeted by ransomware.
St. Paul placed its computer networks into a sort of coma soon after learning of the cyberattack that started on July 25. The move has disrupted city services, though officials say it was necessary to stop the hackers from doing more damage.
Mary Gleich-Matthews, deputy chief information officer for St. Paul’s Office of Technology and Communications, said the city was fortunate to learn of the attack soon after it began.
“Not everybody has the opportunity to be proactive,” she said.
Starting early Sunday morning, the city will take a significant step toward waking up its computers. To safely reactivate systems, thousands of city employees will have to reset their passwords and have their work-issued computers checked out in person.
Those employees will have to report to a sprawling operation in the basement of Roy Wilkins Auditorium at the RiverCentre in downtown St. Paul to process their accounts and equipment before being able to log back in.
Many city services have been offline since the attack. St. Paul Regional Water Services’ online payment portal and computers at public libraries haven’t functioned in weeks. Many of the city’s phones are also out of commission.
Once a sufficient number of employees have new credentials, the city can begin reactivating systems, according to Gleich-Matthews.
“Once we get that high level of saturation, we can start turning things on,” she said. “It’s not like a light switch. We slowly roll from there.”
City human resources departments had to manually build spreadsheets in a makeshift office in order to make payroll on time, Carter said last week. The city said each employee got paid on time on Aug. 8.
Laptops in police cars were also affected, though emergency services are still functioning. Ramsey County runs 911 dispatch and wasn’t affected by the hack.
Operation Secure St. Paul
City workers have been working overtime to prepare for what they call “Operation Secure St. Paul.”
The Roy Wilkins basement was empty last Monday, though less than a week later, it’s prepared to process the 3,500 or so city employees who have login information, Gleich-Matthews said.
Workers from various city departments will come in at scheduled times starting Sunday at 6 a.m. to get new login credentials and have their city-issued laptops screened.
The goal is to get all employee accounts and equipment processed by the end of Tuesday, so staff will be working from 6 a.m. to 10 p.m. for the next three days.
Employees will have to present identification and their city employee number in order to check in, and they have to come at their scheduled time in order to get help. The process is expected to take around 30 minutes per person.
City officials have been quiet about the process so far due to concerns about cybercriminals learning details about the reset process, according to the mayor’s office.
Once employees who have city login information have gotten new credentials and had their machines vetted, St. Paul can begin the process of starting up its systems.
The first functions that will return are “critical systems” like permitting and licensing, payroll, phone networks and internal network storage drives, according to Gleich-Matthews.
Questions about attack remain
More than two weeks after the July 25 cyberattack on St. Paul, its still unclear who could be responsible. Law enforcement and the city have not disclosed any information about the source of the hack.
What is known is that the hack was a coordinated attack by a “sophisticated external actor,” the mayor said in late July.
Gov. Tim Walz has activated the Minnesota National Guard to provide the city with cybersecurity specialists, and the FBI is investigating the attack.
The FBI and National Guard have said they can’t provide information about the cyberattack as it remains under investigation.
As of Saturday, there was no evidence that any data was taken, according to the city, which said it keeps the “majority” of resident information like names, addresses and phone numbers on cloud-based applications unaffected by the attack.
On Wednesday, Carter announced he would delay his August budget address to September as the city addressed the attack. St. Paul remains in a local state of emergency.
St. Paul isn’t the only city that’s been hit by a cyberattack recently.
Last week, the city of North St. Paul said its police department had been targeted in a hack that may have compromised “some data.”
