Description
On August 10, 2025, the ransomware group, Interlock, posted 43 gigabytes of data they claim to have exfiltrated from systems within the St. Paul Minnesota network. Interlock has been very active in the past year and is known to use advanced phishing, malware and credential exploitation methods. Some of the posted data included budget documents, city invoices, city contracts, scanned ID documents and employee information. During the initial days of the attack, some critical services were disrupted, which prompted the city to bring all its systems offline on July 27th to contain the attack and begin the remediation process. As of August 21, some services were still not fully operational, and the mayor has delayed the release of the city’s 2026 budget which was to be published on August 14.
Indicators of Compromise (IoCs)
The attack was first detected on July 26 by a member of the city’s IT staff. Evidence shows that the attackers targeted the Parks and Recreation department first and then moved from there. The attack was confirmed as ransomware when Interlock contacted the city on July 28th.
Actions Taken
The city of St. Paul took a highly prioritized and organized approach to respond to the attack. Some of the actions taken included the following:
- The city launched an initiative called “Operation Secure St. Paul” to coordinate system restoration efforts and communicate with employees.
- The mayor declared a state of emergency, and both the FBI and Minnesota National Guard’s cyber unit were called in to assist with all aspects of containment, investigation, and system recovery.
- Other federal agencies, including CISA and Homeland Security, were brought in to provide added technical guidance.
- The city converted an auditorium into a clearinghouse where all 3,500 employees were sent to perform a physical in-person reset of their passwords.
- The city’s IT department staged a server to test data restorations before implementing a full production restore of all impacted systems and devices.
- Additional security measures were implemented such as tighter network segmentation and enforced multifactor authentication (MFA).
- Red hat exercises are being implemented on a regular basis to check for additional vulnerabilities within all systems.
- All city employees are receiving 12 months of free credit monitoring and identity theft protection.
Prevention
The attack illustrates how lateral movement enables cybercriminals to spread from compromised systems in one department to others across the network. Effective network segmentation strategies help contain malware outbreaks, preventing infections from spreading to other network areas. Strict adherence to the principle of least privilege (PoLP) further restricts attackers’ ability to navigate through systems.
By implementing network segmentation and enforcing least-privilege access controls, organizations can significantly limit lateral movement. This approach confines attackers to their initial entry point, preventing access to critical infrastructure and sensitive systems.
Another popular attack avenue for ransomware organizations is unpatched systems. Regularly updating operating systems, applications, and network devices closes security gaps that ransomware operators often exploit.
A proactive approach to preventing such attacks is to have third-party security specialists provide continuous external attack surface management to proactively look for exploitable vulnerabilities and also regular penetration tests on a company’s network. These experts simulate real-world attack techniques to probe for vulnerabilities that modern attackers might exploit. Following the assessment, the external team provides prioritized recommendations to address and remediate the discovered weaknesses.
Review your security program for your teams to minimize your risk.
ARTICLE: How to Reduce the Threat of Ransomware
CYBERSECURITY NEWS, UPDATES, INSIGHTS, and RESOURCES
Cybersecurity Awareness Posters
