Ransomware Attack on Minnesota Capital City

MIT CYBERSECURITY CLINIC

The new MIT Cybersecurity Clinic (11.274 and 11.074) will be offered in both the fall and spring semester at MIT.

The Cybersecurity Clinic will consist of four-modules : Cybersecurity for Critical Urban Infrastructure: Understanding the Problem; How the MIT Cybersecurity Clinic Makes Initial Contact with potential Client Agencies; Onsite Assessment of Cybersecurity Vulnerability by MIT Clinic Staff; and Prepare and Submit a Final Cybersecurity Vulnerability Assessment to a Client Agency. MIT students who want to take on field assignments with the Cybersecurity Clinic (for academic credit) must pass the certification examination offered at the end of the fourth module.

Students who have achieved certification, will work in teams supervised by advanced doctoral and post-doctoral students during the last nine weeks of the spring semester to collaborate with an assigned client agency to prepare a Cyberattack Vulnerability Assessment for a client agency.

WHO WE ARE

We are developing a new class of non-technical strategies against cyberattacks called Defensive Social Engineering. Cyber defenders can use Defensive Social Engineering along with technical tools to defeat or compromise attackers. One technique in the Defensive Social Engineering toolbox is Cyber Negotiation. This research is supported by MIT’s Internet Policy Research Initiative (IPRI).

RESOURCES

Click here for a list of publications and resources

ABOUT THIS BLOG

click above to read more about this blog and watch the short animation below

Ransomware Attack on Minnesota Capital City

September 19, 2025
Governments Push for Windows 11 Migration as Windows 10 End Nears in October

September 1, 2025
CIRCIA Proposed Regulations Uncertain Ahead of October Final Rule Publication

April 2, 2025
USA Today: Cyberattacks on Critical Infrastructure Are Increasingly Common

January 10, 2025
CISA Proposed Cybersecurity Incident Reporting Requirements for Critical Infrastructure Companies Opened for Comment

December 18, 2024
Boston Globe: How to Thwart Hackers (Local Cybersecurity)

June 5, 2023
Quick guide to the 6 ways we can regulate AI (MIT Tech Review)

May 30, 2023
World agencies issue cybersecurity guidance for smart cities

April 27, 2023
The Electronic Frontier Foundation Opinion Piece on the U.N. Cybercrime Treaty

April 18, 2023
Cyberattacks on local governments 2020: findings from a key informant survey

February 21, 2023

September 19, 2025

Ransomware Attack on Minnesota Capital City

On July 25th, Minnesota’s capital, St. Paul, fell victim to a major cyber attack. City officials moved quickly to contain the breach, ultimately shutting down their networks on July 28th to prevent more damage. Mayor Melvin Carter declared a state of local emergency, and on July 29th, Governor Tim Walz activated the Minnesota National Guard’s 177th Cyber Protection Team to assist with the situation recovery.^[1] It was a historic moment, as the unit had never been deployed within the state before in its eight years of existence. The National Guard stayed on duty in St. Paul until August 17th, working side by side with city staff and federal investigators.^[2]

Carter described the cybercriminals responsible for the attack as a “sophisticated” and “money-driven” ransomware group. The attackers, identified as the group Interlock, demanded payment to restore systems and keep stolen data private. Following guidance from the FBI and National Guard, city leaders refused their demands. In response, the hackers posted about 43 gigabytes of stolen city data online. Carter later explained that most of the compromised files originated from a shared drive in the city’s Parks and Recreation Department. The contents varied widely, from work documents and ID copies to personal odds and ends like recipes. Although substantial, the leaked data was only a tiny part of the 153 terabytes the city maintains.^{[1, 3]}

Meanwhile, the service disruption caused by the attack has led many city operations to shift into what Carter calls “manualizing.” In libraries, for example, staff have gone back to using physical checkout cards to track borrowed items.^[4] The city has been giving regular updates on its recovery process through its official channels.^[5] To prevent future breaches, St. Paul has started investing in training and simulations. City employees now participate in phishing drills and tabletop exercises, which are modern “war games” designed to prepare them for real-world cyberattacks. “Over 3,500 St. Paul city employees now have absolutely the longest passwords of their entire lives,” Carter remarked.^[4]

The mayor adds that St. Paul is not alone. At least half a dozen Minnesota cities, including nearby North St. Paul, have already experienced cyber incidents in 2025.^[4] The St. Paul attack has spurred a broader push for “whole-of-state cybersecurity”: a philosophy focused on cooperation among cities, counties, state agencies, and federal partners. Officials believe that by uniting within this framework, governments can better defend themselves against increasingly aggressive cyber threats adversaries.^[2]

References:

[1] Government Technology. St. Paul, Minn., Systems Come Back Online After Cyber Attack. 2025.

[2] Government Technology. St. Paul Cyber Attack Sparks Reflections, Calls to Action. 2025.

[3] KSTP. St. Paul Cyberattack: Organization Takes Credit for Ransomware Attack on City, Releases Some Data. 2025.

[4] MinnPost. Short of Outlawing Clickbait, Minnesota Lawmakers Have No Easy Fixes for Cyberattacks. 2025.

[5] St. Paul Government. Important Information on City Services During Digital Security Incident. 2025.