November 7, 2025
The recent ransomware attack on the City of St. Paul should be a wake-up call for municipal governments nationwide.
After three weeks of disrupted services, National Guard deployment, and ongoing recovery efforts, St. Paul's experience demonstrates both the severe consequences of cyberattacks and the critical importance of rapid response. In this blog, I’ll discuss key takeaways for other local government decision-makers to avoid being the next cautionary tale.
An Overview of the Attack
Here’s a brief timeline and overview of everything we know so far:
July 22: The federal Cybersecurity and Infrastructure Security Agency (CISA) issued a public advisory detailing the threat posed by the Interlock ransomware group — the group responsible for St. Paul’s ransomware attack.
July 25: St. Paul’s IT team detected suspicious activity and immediately took systems offline to contain the attack.
July 28: Mayor Carter declared a state of emergency after confirming it was a deliberate ransomware attack by a sophisticated criminal organization.
End of July: Governor Walz deployed the Minnesota National Guard's cyber team to assist with the response.
August 15: The National Guard finished their work after nearly 3 weeks, though the city’s recovery is ongoing.
Attack Impact: Hackers stole 43 gigabytes of data (primarily from Parks & Recreation) and demanded a ransom. The city refused to pay, so attackers posted the stolen data online.
The Probable Cause: The most likely scenario for this type of attack is that an attacker gained access through a city worker clicking on a phishing email.
Recovery Losses: Wi-Fi in city buildings went down, online bill payment was disabled, customer service lines were affected, many city employees couldn't access systems to do their jobs, and over 3,500 city employees required complete credential resets.
Response: FBI, National Guard cyber team, and two private cybersecurity firms worked together on the investigation and recovery. All employees went through credential resets as part of Operation Secure Saint Paul.
Did the City Respond Correctly?
I’d say yes, for the most part! A cyberattack like this can be devastating, and so I’m not here to point fingers. Local government IT teams are often understaffed and under-resourced.
The city detected the attack on July 25 and started working to contain the threat within its computer systems, but it fully shut down its networks on July 28th. When it comes to an effective incident response, the difference between minutes, hours, and days can be the difference between a bad day and a catastrophe. Some of the widespread disruptions and costs that this attack caused could likely have been minimized with a faster and more aggressive response.
However, something I want to absolutely commend the city on, full stop, and that’s not paying the ransom.
Why Shouldn’t You Pay To Stop a Ransomware Attack?
There are a number of reasons paying a ransom is a bad idea:
- There’s no guarantee that you’ll get your data back
- Even if they send you the decryption key after paying the ransom, that key migh not work
- Paying off a cybercriminal increases the odds they’ll attack you again
- The more often ransomware pays off, the more time and effort cybercriminals will put into developing more devastating attacks
The State of Cybersecurity for US Local Governments
The vast majority of cybercriminals are opportunists, out to make a quick buck. To be clear, that’s not the case when it comes to the cybercriminals who attacked St. Paul.
According to St. Paul Mayor Melvin Carter, the cybercriminals who attacked St. Paul were part of a "sophisticated, money-driven organization known for stealing and selling massive volumes of sensitive information from large corporations, hospitals, and governments." And unfortunately, that’s becoming more and more common for government organizations.
Here are a few recent stats:
- Government entities are the third most-targeted sector for ransomware attacks
- The average ransom for government organizations is over $1M
- There are over 90,000 different local governments in the U.S., many of which use the same software, so cybercriminals can take a broad approach to their attacks
Cybersecurity Requirements for Local Governments
As a CISO who has worked extensively with municipal clients, I can tell you that local governments face unique cybersecurity challenges that require specific defensive strategies. Unlike private companies that can selectively limit access, cities must maintain public transparency while protecting sensitive data.
Here's what every local government needs to implement as baseline cybersecurity requirements:
1. Critical Infrastructure Protection
Local governments must maintain network segmentation that isolates critical systems from general business operations. Emergency services (911 dispatch, police communications, fire department systems) should operate on completely separate networks from administrative functions like permitting or tax collection. That way, even if ransomware cripples city operations, emergency services remain functional.
Cities also need offline backup systems that can restore operations within 72 hours. This isn't just about data. It's about maintaining essential services.
2. Access Control and Authentication Standards
Because it only takes a single successful phishing attack to unleash devastation, every access point should require multifactor authentication — no exceptions. I’m talking about employee workstations, administrative portals, vendor access systems, and especially privileged accounts. The St. Paul attack demonstrates just how quickly attackers can move through networks once they gain initial access. Using MFA creates friction that can slow down or stop lateral movement.
Cities must implement strict controls over administrative accounts, including regular access reviews, time-limited privileges, and comprehensive logging of all administrative activities. Too many municipal breaches occur because attackers compromise accounts with excessive privileges that were granted years ago and never reviewed.
Local governments work with numerous contractors. Every external connection represents a potential attack vector and must be controlled through regular vendor due diligence.
3. Cybersecurity Monitoring and Threat Detection
Business-hours-only cybersecurity isn’t enough anymore. Local municipalities should implement security information and event management (SIEM) systems with either in-house or managed security operations center (SOC) services that provide round-the-clock monitoring. Attackers often strike during weekends and holidays when they know IT staff availability is limited.
Every city device — from executive laptops to library public computers — needs endpoint detection and response capabilities that can detect, isolate, and respond to threats automatically.
Sophisticated attackers often try to blend in with normal network activity. So I’d also recommend implementing tools that continuously analyze network traffic patterns to identify unusual data flows, unauthorized connections, or command-and-control communications.
4. Data Protection and Classification
Categorize your data based on sensitivity and public disclosure requirements. Employee personal information, law enforcement records, and financial data require different protection levels than park schedules!
All sensitive data must be encrypted both in transit and at rest. This includes database encryption, secure email systems, and encrypted storage for backup systems. Encryption doesn't prevent breaches, but it makes any stolen data useless to attackers.
You should also have clear policies for how long different types of data are retained and how they're securely destroyed when no longer needed. Reducing your data footprint reduces your attack surface.
5. Incident Response and Business Continuity
Every city needs a documented, regularly tested incident response plan that defines roles, responsibilities, and communication procedures during a cyberattack. This plan must include decision trees for system isolation, criteria for declaring emergencies, and pre-established relationships with external response partners.
Define specific time targets for restoring different city services and ensure your backup and recovery systems can meet these objectives. Emergency services might need restoration within hours, while less critical functions might be acceptable for days or weeks.
6. Compliance and Governance Requirements
Conduct annual penetration testing and quarterly vulnerability assessments of all city systems. These aren't just compliance checkboxes. They're essential for identifying any weaknesses before an attacker can.
Remember, your employees are the weakest link to cyber attacks (including phishing). So all employees must receive security awareness training at least annually, with more frequent updates for users with elevated access. The training should be engaging and relevant to municipal operations.
Finally, I recommend maintaining comprehensive cybersecurity insurance that covers not just data breach costs but also business interruption, emergency response services, and potential liability from service disruptions.
How To Test Your NIST Compliance
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides guidelines that organizations can use to assess whether they are currently following cybersecurity best practices. However, if you’d like a quick gut check, the Marco cybersecurity team has put together an online assessment that can give you a good sense of whether your cybersecurity posture is sufficient. Some government organizations that have taken our assessment get a little peace of mind, and others know exactly where they need to make updates, prioritized by risk. Click the link below to access it!
