On July 29, 2025 the City of Saint Paul declared a local state of emergency after detecting a coordinated digital attack that forced a full defensive shutdown of its municipal IT environment. City leaders said the shutdown was necessary to contain malicious activity and protect sensitive systems while they worked with state and federal partners on incident response.
The outage affected public-facing services across municipal facilities. Public Wi Fi at libraries and other buildings went dark, online payment portals and some customer service lines were suspended, and many internal administrative systems were taken offline while forensic teams worked to assess the compromise. Emergency services such as 911 remained functional throughout the incident. These operational impacts mirror the classic ransomware playbook where availability and public-facing trust are weaponized against a city.
Within days the city identified the criminal group claiming credit as Interlock. Mayor Melvin Carter reported that the attackers posted roughly 43 gigabytes of files taken from a shared parks and recreation network drive, and that the city declined to pay the ransom demand. City IT launched an enterprise password reset program covering thousands of employees and invited assistance from the Minnesota National Guard and the FBI.
Local authorities moved quickly to treat the incident as both a criminal investigation and an infrastructure recovery operation. The St. Paul City Council extended the emergency declaration to enable continued coordination with federal and state partners and to streamline resourcing for a deliberate rebuild of systems. The National Guard cyber protection team supplemented municipal and private incident response resources.
What happened in St. Paul is not unique, but it is instructive. Municipal environments are attractive to extortionists for three reasons: first, they host a wide variety of critical services whose disruption is highly visible; second, many local IT estates combine legacy systems with modern cloud services in brittle ways; third, budget and staffing constraints make sustained modernization and monitoring difficult. Attackers exploit these conditions to gain leverage quickly and then escalate impact by encrypting or exfiltrating data. The St. Paul incident demonstrates how rapidly a local breach can spin into a multi-agency crisis.
Immediate technical takeaways for municipal and similarly sized organizations
-
Assume compromise and harden recovery first. Backups are only useful if they are isolated, regularly tested, and have immutable copies. Offline or air-gapped backups and an exercised restoration playbook reduce the leverage of ransom actors.
-
Enforce least privilege and zero trust controls. Network segmentation, strong identity and access management, and conditional access policies limit lateral movement and reduce the blast radius if an endpoint is taken. Multifactor authentication is table stakes.
-
Prioritize detection and response capabilities. Improved logging, endpoint detection and response, and a practiced incident response plan shorten dwell time and enable faster containment.
-
Treat third parties and shared drives as high risk. Shared departmental drives often contain a mix of operational and sensitive material. Enforce access controls, data classification, and monitoring on those resources.
-
Prepare continuity plans for public-facing services. Design fallback methods for essential citizen services such as bill payment, permitting, and library access so public safety and basic civic functions continue during an IT outage.
Operational and policy recommendations
-
Formalize interagency escalation paths. St. Paul’s use of the National Guard and federal partners shows that local incidents can rapidly require higher-tier assets. Preplanned memoranda of understanding and clear escalation criteria speed that handoff.
-
Invest sustainably in people as well as tools. Many recovery tasks are human intensive. Budgeting for incident response retainers, on-call forensic expertise, and cross-trained municipal staff pays off compared with ad hoc emergency procurement.
-
Communicate deliberately with the public. Transparency about service impacts, expected workarounds, and protective steps for affected employees and residents preserves public trust. Verify claims of compromised personal data before broad public assertion, while providing protective offers like credit monitoring when employee data is implicated.
-
Shift procurement and governance toward resilience. Require cyber maturity in vendor contracts, include recoverability and logging obligations, and make ransomware tabletop exercises a routine requirement for critical departments.
A cautionary final note
Refusing to pay ransom is a defensible public policy choice aligned with federal guidance, but it is not a substitute for preparedness. The financial and operational cost of restoration, the legal obligations tied to exposed data, and the human toll on staff who must rebuild operations are real and substantial. Leaders must invest now so that a future St. Paul style incident is an anomaly rather than the new normal.
For defenders the case reinforces an old truth: strong security is cumulative. Incremental investments in backups, identity controls, monitoring, and rehearsal compound into resilience. Municipalities should treat ransomware readiness as an essential public safety program and fund it accordingly.