Ransomware Attack Cripples St. Paul: Interlock Group Claims Responsibility
The City of Saint Paul is still reeling from a crippling ransomware attack that disrupted municipal services, leaving library computers offline, City Hall without Wi-Fi, and online payment systems for water and sewer bills nonfunctional. While 911 and emergency services remained operational, the city shut down many systems to contain the breach.
Mayor Melvin Carter confirmed the incident was a ransomware attack, calling it a “deliberate, coordinated digital attack” by a “sophisticated external actor.” The group behind the assault, Interlock, has targeted numerous organizations since surfacing in September 2024, with a focus on healthcare, including breaches at DaVita and Kettering Health, as well as multiple U.K. universities.
A Timeline of Warnings and Breach
Days before the city publicly acknowledged the attack, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a joint advisory warning about increased Interlock activity and urging defenses against “double extortion” tactics — stealing and encrypting data to pressure victims into paying. However, threat intelligence from PRODAFT indicates Interlock may have infiltrated Saint Paul’s systems as early as July 20, 2025, several days before the federal alert.
On July 25, city systems flagged suspicious server activity, but by then, Interlock claimed to have stolen more than 66,000 files (43 GB of data). Samples posted to their leak site reportedly included passport scans, employee records, and other sensitive documents.
Conflicting Claims About Data Safety
Mayor Carter told Minnesota Public Radio the incident did not compromise residents’ personal or financial information and confirmed the city refused to pay the ransom. Interlock, however, alleged the breach caused “a lot of losses and damage,” including exposure of residents’ data.
While the group portrays itself as a crusader against poor cybersecurity — insisting its actions are “not financially motivated” — its ransom demands and threats to publish stolen data undermine that claim.
Next Steps: Operation Secure St. Paul
City officials have launched “Operation Secure St. Paul” to restore systems, bolster cybersecurity, and communicate directly with employees and the public after criticism over the city’s initial media-first disclosure.
Operation Secure St. Paul Underway as City Recovers from Ransomware Attack
In the wake of a major ransomware attack that crippled city services, Mayor Melvin Carter has launched Operation Secure St. Paul, a sweeping initiative to restore security across municipal systems. Speaking to Minnesota Public Radio on Monday, Carter detailed a three-day in-person effort to manually reset passwords for all 3,500 city employees.
The operation began early Sunday, moving 180 staff members through password resets every half hour. “Once these three days are complete, that’ll be the culmination of this grand reset… and we’ll start bringing our most critical systems back online by the end of this week,” Carter said. As of Monday, the city’s website still displayed a bright yellow banner warning residents about the ongoing “digital security incident,” while assuring that emergency services remain fully operational.
Background on the Attack
The breach — linked to the Interlock ransomware group — shut down internet access at libraries, halted online bill payment systems, and disabled multiple city services. While the city has refused to pay ransom, Interlock claims to have stolen over 66,000 files, including sensitive documents.
Federal Guidance Ignored or Too Late?
Days before the incident was publicly revealed, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory warning of increased Interlock activity and recommending mitigation strategies. Technical recommendations included DNS filtering, network segmentation, and implementing Identity, Credential, and Access Management (ICAM) policies. They also urged steps familiar to cybersecurity-conscious residents:
- Training users to detect social engineering attempts
- Keeping systems and software updated
- Enforcing multifactor authentication (MFA) wherever possible
Next Steps
City officials aim to bring critical systems back online by the week’s end, but the investigation into the full scope of data theft continues. Federal agencies remain involved, and cybersecurity experts warn that rebuilding trust in systems after such an attack can take months.