When an Entire American City Was Crippled by Ransomware - The Saint Paul Cyber Attack Reality Check

Security
https://andytips.com/posts/2025/saint-paul-ransomware-attack-interlock-case-study-2025/
Page content

Last July, an absolutely devastating ransomware attack hit Saint Paul, Minnesota, causing one of the worst cybersecurity incidents in American municipal history.
The entire city’s computer systems were paralyzed, network communications failed, citizens couldn’t pay their water bills, libraries lost Wi-Fi access, and even city employees couldn’t work.

This turned out to be a ransomware attack orchestrated by a hacker group called “Interlock.”
What’s infuriating is that when the city refused to pay their demands, these criminals released 43GB of citizen data onto the internet..

Let’s examine exactly what happened and what we can learn from it.

How It All Began

So I stumbled across this story while doom-scrolling through security news.
We’ve been getting hit with ransomware attacks in Korea lately, so I’ve been keeping tabs on what’s happening elsewhere. But this? This was next level.
An entire American city brought to its knees. I couldn’t believe it.

Can you imagine what it feels like to have an entire city paralyzed?
When I thought about it, it was truly terrifying.
All the digital services we take for granted in daily life suddenly becoming useless in an instant.
(I mean, can we even function without the internet anymore??)

Attack Timeline

Here’s how everything went down, day by day.

  • July 22, 2025: U.S. Cybersecurity and Infrastructure Security Agency (CISA) issues warning about Interlock ransomware group
  • July 25, 2025: Saint Paul’s automated security systems first detect “suspicious activity” and attack begins
  • July 25-27, 2025: Attack continues throughout the weekend, system damage escalates
  • July 27, 2025: City authorities completely shut down all information systems to prevent further damage
  • July 28, 2025: City Hall and public library Wi-Fi shut down, online payment tools disabled, internal network access suspended (911 emergency services remain operational)
  • July 29, 2025: Mayor Melvin Carter officially declares local state of emergency / Governor Tim Walz activates Minnesota National Guard cyber protection team / FBI launches investigation and deploys two national-level cybersecurity firms
  • July 30, 2025: City announces employee wages will be paid normally despite payroll system shutdown
  • August 1, 2025: Saint Paul City Council unanimously decides to extend state of emergency for 90 days
  • August 8, 2025: Manual payroll processing completed, all employees paid normally
  • August 10, 2025: Attacker identified as ‘Interlock’ ransomware group officially confirmed / “Operation Secure St. Paul” recovery operation begins (password resets and equipment checks for approximately 3,500 people)
  • August 11, 2025: City officially announces rejection of ransom demands / Interlock retaliates by releasing 43GB of stolen data on dark web (mainly Parks and Recreation Department documents) / Announces 12-month free credit monitoring service for all employees
  • August 12, 2025: Operation Secure St. Paul Phase 1 completed (over 2,000 people processed)
  • Late August 2025: Phone services, online water bill payments, parks and recreation payment systems begin gradual recovery

July 2025: Saint Paul System Failure

The first suspicious signs in Saint Paul were detected on Friday morning, July 25, 2025.
The city’s automated security systems detected “suspicious activity.” But it was already too late.

The hackers’ attack continued throughout the weekend. From July 25th to 27th, the entire city was essentially under digital siege.
To prevent further damage, city authorities made the drastic decision to shut down all information systems on Sunday, July 27th.

What were the consequences?
Wi-Fi at City Hall and public libraries went completely dark, and online payment systems were totally paralyzed.
Citizens had no way to pay their water bills.

They managed to keep 911 going - which, you know, is kind of critical.
But all those other services people rely on? Water bill payments,
city records, internal systems… all offline.

State of Emergency

On July 29th, Saint Paul Mayor Melvin Carter decided they couldn’t hold out any longer.
He officially announced that this wasn’t just a simple system error, but rather “an intentional and coordinated digital attack by sophisticated external actors.”

He immediately declared a local state of emergency.
This shows just how serious the situation had become.

Minnesota Governor Tim Walz also issued an executive order that evening, deploying the Minnesota National Guard’s cyber protection team.
The official reason was that “the scale and complexity of the attack exceeded the city’s response capabilities.”
Think about it - deploying the National Guard for a city’s cyber attack… that’s absolutely unprecedented.

FBI got involved. Two major cybersecurity firms too. Everyone was scrambling.

The Identity of Interlock

It wasn’t until August 10th that the identity of the attackers was revealed.
In a press conference, Mayor Carter disclosed that it was the work of a ransomware group called “Interlock.” (Which, honestly, took way longer than you’d think.)

Interlock isn’t just any hacker group.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had issued a warning about them just three days before the attack.
Mayor Carter described them as “a sophisticated, financially motivated organization that targets corporations, hospitals, and government agencies, stealing and selling terabytes of sensitive information.”

Their demand was simple:
Pay us money.

The exact amount? Nobody’s saying. But St. Paul didn’t budge.
And that’s when things got ugly.

Retaliation and Citizen Data Leak

When the city refused to pay the ransom, Interlock’s retaliation began.
On August 11th, they released 43GB of data stolen from Saint Paul onto the internet.

Fortunately, most of the leaked data was from the Parks and Recreation Department’s shared drives.
It included work documents, copies of IDs that employees had submitted to HR, and even personal cooking recipes - described as “diverse and unsystematic” materials.

But not knowing what else might be leaked, the city had to reassure its citizens.
The city announced it would provide all employees with 12 months of free credit monitoring and identity theft protection services.
This was a precautionary measure in case more sensitive information had been compromised.

Recovery Operation Launch

To restore their systems, Saint Paul launched a massive operation.
Called “Operation Secure St. Paul,” this effort required all approximately 3,500 city employees to gather in the basement of the Roy Wilkins Auditorium and line up in front of about 80 computers installed there.

Employees had to present their IDs and employee numbers, spend about 30 minutes resetting passwords, and undergo security checks on their work laptops.
This process continued for three days from August 10th to 12th, from 6 AM to 10 PM.
It was a complete reset. They must have had an incredibly tough time.

Only after resetting all account information
could they begin to restart systems one by one.

What is Ransomware?

Quick refresher on ransomware, in case you’re not familiar.

It’s basically digital hostage-taking.
The software sneaks into your system, locks up all your important files with encryption, and then - here’s the kicker - demands payment to unlock them.
“Pay up or lose everything” kind of deal.

Today’s ransomware attackers have become more devious.
They don’t just encrypt files - they steal important data beforehand.
So when victims refuse to pay, they add another threat: “Then we’ll release your customers’ or citizens’ personal information on the internet.”

This is called “Double Extortion.”

The Criminals’ Motives

So why do these criminals invest so much time and effort in these infections?

Money, obviously.
These attacks pull in serious cash - we’re talking hundreds of thousands, sometimes millions per hit. When you’re targeting hospitals or city governments, the payoff can be massive.
That’s why everyone’s jumping on the bandwagon.

Then there’s the whole RaaS thing - Ransomware as a Service.
Think franchise model: big groups like Interlock build the tools, smaller hackers
run the actual attacks, everyone splits the profits.
“I’ll handle the tech, you do the grunt work” kind of arrangement.

Cryptocurrency made it easier too.
Bitcoin payments are nearly impossible to trace, so criminals feel a lot safer demanding ransoms this way.

And honestly? There are still tons of easy targets out there.
Local governments, small businesses - many don’t invest enough in security.
They think “it won’t happen to us” until it does.
Then it’s too late.

And there are still many targets with weak cybersecurity.
Especially local governments and small businesses often have insufficient security investments, making them easy for hackers to penetrate.
They think “nothing serious will happen to us…” and get complacent, then get thoroughly devastated when attacked once.

Here’s the thing about cybersecurity: If a hacker really wants in, they’ll
get in eventually. Every system has vulnerabilities.
The question isn’t “can they break in?” but “how long will it take them?” Strong security buys you time - sometimes enough that they give up and move on.

What We Can Do

So how can we protect ourselves from such attacks?

Backups are your safety net.
Store copies of important files on external drives or cloud storage - somewhere separate from your main system.
That way, if ransomware hits, you’re not completely screwed.
Just one thing: don’t leave backup drives permanently connected to your computer.
They can get encrypted too if the malware spreads.
Yeah, it’s a bit of a hassle unplugging them each time, but it’s worth it.

Keep everything updated.
I know, I know - update notifications are annoying.
But those security patches exist for a reason.
When your OS or software prompts you to update, don’t put it off.
Hackers specifically look for systems running outdated software with known vulnerabilities.
Make it a habit to install updates as soon as they’re available.

Treat suspicious emails like poison.
Here’s the thing - most ransomware doesn’t just magically appear on your computer.
It needs you to let it in, usually through a phishing email.
That attachment from someone you don’t know? Delete it.
That link in a weird message? Don’t click.
If something feels off about an email, it probably is.
Trust your instincts.

Use strong passwords and enable two-factor authentication.
Different password for every account - yes, it’s a pain to remember them all, but that’s what password managers are for.
And turn on two-factor authentication wherever possible.
It adds an extra layer that makes life much harder for attackers trying to break into your accounts.

Make yourself a hard target.
Here’s something security experts know: if a determined hacker really wants into a specific system, they’ll eventually find a way.
But here’s the good news - most hackers aren’t that patient.
They’re looking for easy wins, not challenges.
So pile on the security measures.
Strong passwords, two-factor auth, updated software, firewall settings - all of it.
Make your system annoying enough to crack, and hackers will usually move on to easier targets.
They’re running a business, after all.
Time is money, even for criminals.

Daily Security Awareness

Actually, I found myself reflecting a lot while researching this Saint Paul incident.
I think I’ve been too complacent about cybersecurity in my daily life.

Our daily lives are inseparable from digital technology, right?
From internet banking to shopping, SNS, and work…
Almost everything is done online, but our interest in security has been lacking.

Especially the thought “who would hack an ordinary person like me?” seems really dangerous.
Ransomware often spreads indiscriminately rather than targeting specific individuals.
It’s like casting a wide net to catch whatever fish get caught.

I also realized that if I do get attacked, I shouldn’t hide it or try to solve it alone.
Like Saint Paul did, I should openly ask for help and work with experts to resolve it.

Through this Saint Paul ransomware incident, I’ve gained a new appreciation for how important cybersecurity is.
It was shocking that an entire city could be paralyzed, and scary that such attacks are becoming increasingly sophisticated.

So yeah, that’s the St. Paul story. Scary stuff, right?

How’s your security setup looking? Got any horror stories or tips to share?
Drop them in the comments - I’d love to hear what you guys think about all this.