Minnesota National Guard Activated in Response to City of Saint Paul Ransomware Attack
August 15th, 2025
❓What:
The city of Saint Paul confirmed the cyber attack they experienced in late July to be a ransomware attack carried out by ransomware gang Interlock. Threat intel company PRODAFT reports that the actors were able to access the city's systems via custom SystemBC Remote Access Trojan (RAT) malware.
After the incident exceeded city response capacity, the state of Minnesota activated the National Guard's Cyber Protection Unit to work jointly with the city and the FBI in a recovery effort the Mayor has named Operation Secure St. Paul.
Interlock claims it stole ~66,000 files / 43 GB and has begun leaking data. The mayor said residents’ personal/financial info was "not impacted".
After the city made it clear that they would not pay the ransom, Interlock leaked over 42 GB of data stolen from the attack to their dark web portal. According to independent investigators, of the stolen files and documents, at least 280 files contain PII such as email archives, passport scans, and drivers licenses.
⚠️Impact:
Service disruption & revenue impact: Payment portals and some city services (e.g., libraries/recreation centers) were disrupted, delaying routine operations and billing.
Data exposure pressure: Despite the city claiming no confirmed exposure of residents’ financial data, Interlock’s leak claims increase extortion pressure and reputational risk.
Trend escalation: CISA/FBI warned days earlier of rising Interlock activity and double-extortion tactics—this incident reflects that risk to U.S. critical services.
Double extortion model: Interlock has been found to utilize an extortion model that not only encrypts data, but also threatens to upload stolen data to their dark web portal if the ransom is not paid.
💡Recommendations:
Contain & restore with rigor: Keep impacted segments isolated; rotate credentials & keys; validate offline backups; rebuild from known-good images; maintain clear public status updates on service availability.
Target likely TTPs: Enforce MFA everywhere, patch rapidly (OS, apps, edge), tighten egress/DNS filtering, and hunt for RAT/beacon artifacts associated with Interlock campaigns (e.g., SystemBC/NodeSnake).
Data-handling & third-party checks: Assess least privilege controls, disable stale accounts, verify vendor access and logging, and enable DLP/anomalous transfer alerts—especially around HR/finance repositories highlighted in the leak claims.
Readiness & comms: Perform tabletop exercises on ransomware + public leak scenarios; pre-stage legal/PR and resident-notification templates; prepare credit monitoring guidance if exposure is confirmed. Engage in information sharing with industry partners, such as MS-ISAC's or relevant industry ISAC's.
Read the full article HERE