Ransomware gang claims attack on St. Paul city government

Threat Score:
68
5 articles
100.0% similarity
3 days ago

Article Timeline

5 articles
Click to navigate
Aug 11
Aug 12
Aug 12
Aug 13
Aug 13
Oldest
Latest

Key Insights

1
The Interlock ransomware gang has leaked 43GB of files stolen from the city of Saint Paul, Minnesota, following a cyberattack that occurred on July 29, 2025, which affected the city's digital services and critical systems.
2
Mayor Melvin Carter confirmed that the attack compromised more than 66,000 files, including employee records and scans of passports, with the data primarily sourced from a shared network drive within the Parks and Recreation Department.
3
Saint Paul officials have stated that while the attack caused significant disruption, no personal or financial information of residents was compromised, as this data is stored securely in a cloud environment.
4
In response to the attack, the city has refused to pay the ransom demanded by Interlock, opting instead to restore systems from backups and reset employee passwords in person at a designated location.
5
The Minnesota National Guard was activated to assist in the city’s response efforts, highlighting the attack's severity and the need for external cyber protection support.
6
Interlock has publicly criticized Saint Paul officials, claiming they were 'extremely careless and irresponsible' with the city's cybersecurity, exacerbating the impact of the attack on local residents.

Threat Overview

The city of Saint Paul, Minnesota, has been significantly impacted by a cyberattack attributed to the Interlock ransomware gang, which occurred on July 29, 2025. Following the incident, Mayor Melvin Carter confirmed that Interlock was responsible for the attack, which disrupted various city services and led to the leak of 43GB of sensitive data on August 11. The leaked data includes over 66,000 files, such as employee records and scans of passports, primarily obtained from a shared network drive in the Parks and Recreation Department. Mayor Carter emphasized that while the attack caused substantial disruption, residents' personal and financial information remained secure, as it is stored in a cloud environment. The city’s systems experienced significant operational challenges, prompting the activation of the Minnesota National Guard to assist in the recovery efforts. 'While many city services remain available, some may be temporarily delayed or disrupted due to limited system access,' the city stated. In light of the attack, the city has refused to pay the ransom demanded by the hackers, opting instead to restore systems from backups and reset employee passwords in person. The National Guard's involvement underscores the attack's severity, with the city acknowledging that it exceeded its incident response capacity. Interlock has publicly criticized city officials, accusing them of negligence in securing their data, and claimed that the attack resulted in considerable losses and damage to the city's infrastructure. As the investigation continues, the city is working closely with local, state, and federal partners to fully restore system functionality. Emergency services, however, have remained unaffected throughout the incident. The city has assured residents that updates regarding billing and service will be provided as systems are restored.

Tactics, Techniques & Procedures (TTPs)

T1566
Spearphishing Link - Attackers may have used phishing methods to gain initial access to Saint Paul's systems [2][4]
T1190
Exploit Public-Facing Application - Attackers exploited vulnerabilities in the city's public-facing applications to penetrate the network [1][3]
T1059
Command and Scripting Interpreter - The ransomware likely executed commands to encrypt files and exfiltrate data [1][5]
T1557
Adversary-in-the-Middle - Attackers may have intercepted communications to gather sensitive data before executing the ransomware [2][4]
T1053
Scheduled Task/Job - The ransomware may have established persistence through scheduled tasks to ensure continued access [3][5]
T1105
Ingress Tool Transfer - The attackers likely transferred tools to the network for data exfiltration and further exploits [4]
T1003
OS Credential Dumping - Attackers potentially harvested credentials from compromised systems to escalate privileges and move laterally [5]

Timeline of Events

2025-07-29
Cyberattack on Saint Paul city systems initiated by Interlock ransomware gang [1][5]
2025-08-11
Interlock publishes leaked data on its dark web site, claiming to have stolen 43GB of files [2][3]
2025-08-12
Mayor Melvin Carter confirms the attack and the nature of the data compromised [3][4]
2025-08-12
City officials announce plans for password resets and system recovery efforts [4]
2025-08-13
Minnesota National Guard is activated to assist in the city's cyber defense efforts [1][2]

Source Citations

expert_quotes: {'Mayor Melvin Carter': 'Article 1', 'Interlock ransomware gang statements': 'Article 2'}
primary_findings: {'National Guard activation': 'Article 1', 'Official statements from Mayor Carter': 'Articles 3, 4', 'Cyberattack confirmation and data leak': 'Articles 1, 2'}
technical_details: {'Ransomware group claims and city response': 'Articles 4, 5', 'Details on the nature of the leak and affected systems': 'Articles 1, 2, 3'}
Powered by ThreatCluster AI
Generated 1 day ago
AI analysis may contain inaccuracies

Related Articles

5 articles
2

Minnesota City of St. Paul Continues Ransomware Response

Data Breach Today UK 2 days ago

City Refuses to Pay Ransom; Employees Report to Arena to Reset Passwords in Person The Minnesota city of St. Paul continues to respond to a ransomware attack, with the mayor saying it will pay no ransom. Instead, it's restoring systems from backups and verifying employees' identity at a centralized location before resetting their passwords.

Score
56
100.0% similarity
Read more
3
Saint Paul cyberattack linked to Interlock ransomware gang

Saint Paul cyberattack linked to Interlock ransomware gang

BleepingComputer 3 days ago

Saint Paul cyberattack linked to Interlock ransomware gang Sergiu Gatlan August 12, 2025 07:03 AM 0 The mayor of Saint Paul, Minnesota's capital city, has confirmed that the Interlock ransomware gang is responsible for a cyberattack that disrupted many of the city's systems and services in July. On July 29th, Minnesota Governor Tim Walzactivated the National Guardin response to the crippling cyberattack that had affected St. Paul's digital services and critical systems. The city requested Minnes

Score
56
100.0% similarity
Read more
4
Ransomware crew spills Saint Paul's 43GB of secrets after city refuses to cough up cash

Ransomware crew spills Saint Paul's 43GB of secrets after city refuses to cough up cash

Theregister 2 days ago

Cyber-crime Ransomware crew spills Saint Paul's 43GB of secrets after city refuses to cough up cash Minnesota’s capital is the latest to feature on Interlock’s leak blog after late-July cyberattack The Interlock ransomware gang has flaunted a 43GB haul of files allegedly stolen from the city of Saint Paul, following a late-July cyberattack that forced the Minnesota capital to declare a state of national emergency. The listing on Interlock’s dark web leak site, seen byThe Register, was published

Score
50
100.0% similarity
Read more