{"id":222685,"date":"2026-05-29T17:47:00","date_gmt":"2026-05-29T21:47:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/29\/how-st-paul-minn-recovered-from-a-ransomware-attack\/"},"modified":"2026-05-29T18:00:12","modified_gmt":"2026-05-29T22:00:12","slug":"how-st-paul-minn-recovered-from-a-ransomware-attack","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/29\/how-st-paul-minn-recovered-from-a-ransomware-attack\/","title":{"rendered":"How St. Paul, Minn., Recovered From a Ransomware Attack"},"content":{"rendered":"<p><a href=\"https:\/\/www.govtech.com\/security\/how-st-paul-minn-recovered-from-a-ransomware-attack\">How St. Paul, Minn., Recovered From a Ransomware Attack<\/a><\/p>\n<p><a href=\"https:\/\/www.govtech.com\/security\/how-st-paul-minn-recovered-from-a-ransomware-attack\">https:\/\/www.govtech.com\/security\/how-st-paul-minn-recovered-from-a-ransomware-attack<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-29 17:47:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.govtech.com\">www.govtech.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>                                    When ransomware struck St. Paul, Minn., last July, Chief Information Officer Jaime Wascalus turned to the city&#8217;s Emergency Management Department as IT teams began shutting down portions of the network.The response moved beyond City Hall, with a recovery effort that included Minnesota Information Technology Services (MNIT), federal and state investigators, private-sector cybersecurity specialists, and the Minnesota National Guard. Since the attack, officials have spoken to legislators, at conferences and at symposia, sharing their story in the hopes it can help other governments improve cybersecurity preparedness and response.DETECTION AND DOWN TIMESuspicious activity was first identified by the IT team at St. Paul\u2019s water utility, Wascalus told Government Technology. The utility, which is part of the city, maintains its own technology staff and systems, while sharing one network with the local government. The utility was using endpoint detection and response technology deployed through MNIT, utilizing federal State and Local Cybersecurity Grant Program funds.When the network was shut down, it took internal networks, online payments and public Wi-Fi offline. A ransomware gang called Interlock was the attacker, and it uses the double extortion model \u2014 first exfiltrating data, then demanding a ransom to decrypt the data and prevent data leaks.\u00a0One of St. Paul\u2019s processes, however, is to create nightly backups, and this played a part in the city&#8217;s decision not to pay a ransom.As recovery got underway, the city prioritized 911, payroll and business services such as water delivery. Emergency services weren\u2019t interrupted, while payment systems, the library, email and data storage were restored around the third week of August, with wider recovery taking several months. During testimony before the state Legislature, CISO Stefanie Horvath credited \u201cproactive investments\u201d in cybersecurity operations for helping the city respond. Wascalus also said that St. Paul had an incident response plan well before her arrival in 2022.STATE OF EMERGENCYEven with those preparations, city officials determined additional support was needed. St. Paul reported the incident through MNIT\u2019s cyber incident reporting portal and engaged a contracted cybersecurity firm. Within days, Gov. Tim Walz issued an emergency executive order activating the Minnesota National Guard&#8217;s specialized cyber unit to the city of more than 300,000.\u201cState resources will augment the local government when the needs generated by the incident exceed the capability of local government to respond,\u201d said Lt. Col. Brian L. Morgan, the cyber coordination cell director for the Minnesota National Guard.Requests for National Guard support go through a vetting process that looks at factors such as impacts to public safety and health, as well as whether the entity needs help beyond its capacity. Morgan said the goal is to deploy the guard only for &#8220;the worst of the worst emergencies.\u201dThe guard&#8217;s cyber mission also extends beyond emergency response. Teams regularly train on ransomware incidents, threat hunting and critical infrastructure protection, while also building relationships with local, state and federal partners before incidents occur. Those connections help speed coordination when assisting in a major cyber event.The guard&#8217;s 177th Cyber Protection Team is made up of about 50 volunteers and a small full-time staff. A few things they provided to St. Paul included connectivity via FirstNet, laptop deployment, manpower and installing enhanced endpoint detection across city departments.In August and still reeling from the attack, officials launched Operation Secure St. Paul, a citywide global password reset and device security check at a 5,000-seat arena. It required all employees to arrive in person.\u201cI wanted to make sure that everybody who was on our network was a legitimate person who belonged there,\u201d Wascalus said. \u201cIt was a huge logistical undertaking that I think took about five days to plan but probably should have taken months.\u201dThe effort ultimately brought more than 3,000 employees back onto city systems in three days.\u201cAt the same time, the National Guard gave us even more people,\u201d she said. \u201cWe changed over 3,000 passwords in person, that\u2019s MFA credentials, and we had their devices checked to make sure that they had the right software on them.\u201dCONVERSATION AND COLLABORATIONIn sharing their cyber recovery story, St. Paul officials are following a path taken by other governments that have publicly discussed major cyber incidents. Dallas and Nevada, for example, published public-facing after-action reports and also shared lessons at conferences and other forums.St. Paul Mayor Melvin Carter has said that he spoke with the mayors of Atlanta and Baltimore, whose cities have also experienced cyber attacks. Wascalus said the experience changed how she thinks about collaboration and preparedness, noting that her CIO network also provided support through discussions and loaning equipment. Those experiences reinforced the value of relationships that existed before the attack.Now, city officials are continuing to share their own lessons. St. Paul\u2019s Digital Security Incident Info Hub remains online and an after-action report is under review. In June, Wascalus and Emergency Management Director Rick Shute are slated to speak about lessons learned at the League of Minnesota Cities conference.\u201cEssentially what we say is: This is what we learned. This is how you need to prep. This is what you need to be ready for in the moment,\u201d Wascalus said.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How St. Paul, Minn., Recovered From a Ransomware Attack https:\/\/www.govtech.com\/security\/how-st-paul-minn-recovered-from-a-ransomware-attack Publish Date: 2026-05-29 17:47:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":222686,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/erepublic.brightspotcdn.com\/dims4\/default\/daf5302\/2147483647\/strip\/true\/crop\/1000x486+0+90\/resize\/1440x700!\/quality\/90\/?url=http%3A%2F%2Ferepublic-brightspot.s3.us-west-2.amazonaws.com%2F55%2F57%2Fb251313dc702ad47f7304a1b1e2d%2Fst-paul-minn.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-222685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222685"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=222685"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222685\/revisions"}],"predecessor-version":[{"id":222687,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222685\/revisions\/222687"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/222686"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=222685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=222685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=222685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}