More than a month after a cyberattack forced the city of St. Paul to shut down its computer systems, services are gradually coming back online.
In recent days, the city has restored its phone service, online water bill payments, and its Parks and Recreation payment systems, according to the mayor’s office. St. Paul Regional Water Services has said it won’t charge late fees for bills during the outage.
Library cataloging and checkout systems also have been restored, though as of Thursday, public internet terminals were still offline. Internally, network and shared drives have been restored as well, Mayor Melvin Carter’s spokesperson Jennifer Lor said in an email.
“We are now in recovery,” she wrote. “Our approach is deliberate, prioritized, and secure: systems are brought back only after testing and validation, with priority given to those essential for public safety, financial stability, and daily operations.”
City officials were confident by Aug. 20 that its Microsoft email and data storage were secure once again, according to the Office of Technology and Communications. Emergency services such as 911 were not interrupted by the cyberattack.
Reset nearly complete, lawmakers briefed
It’s not clear when city systems will be fully restored, though officials have signaled that the reset is nearly complete.
Carter and leaders of the city’s emergency response to the attack briefed members of Minnesota’s Legislative Commission on Cybersecurity at the state Capitol on Wednesday.
“This careful approach is allowing us to restore services with confidence, safely and securely,” said Jaime Wascalus, director of the Office of Technology and Communications for St. Paul. “We’re checking absolutely everything before we bring it online.”
Wascalus told state lawmakers that the city had a “trusted foundation” to rebuild its systems because it had clean data backups from July 25 that weren’t affected by the hack.
What is the cost?
Many questions remain about the July cyberattack, including how much it will cost the city.
Ransomware attacks on Baltimore and Atlanta in the late 2010s cost taxpayers more than $17 million, according to local news reports. In Atlanta, hackers demanded $51,000 in Bitcoin, the Atlanta Journal-Constitution reported in 2018. Like St. Paul, the city of Atlanta refused.
Carter said the FBI and Minnesota National Guard advised against paying a ransom.
St. Paul officials still haven’t said how much the hackers demanded or described the exact nature of their threats, though they have confirmed the city was targeted by a ransomware variant known as “Interlock” and that the attack came from a “sophisticated” and “money-driven” group known for stealing and selling sensitive information from corporations, hospitals and governments.
The federal government’s Cybersecurity and Infrastructure Security Agency issued a warning about Interlock attacks on July 22. The ransomware variant was first identified in September 2024.
Attack caught early on
City officials also haven’t disclosed how hackers gained access to city systems or in which department the attack originated.
Officials seem confident they avoided any widespread problems by catching the hack very early on. Hackers posted about 43 gigabytes of city parks and rec department data after St. Paul refused to meet their demands, a minuscule fraction of the 153 terrabytes the city keeps.
Carter said he didn’t think the hackers obtained any sensitive or valuable information because they posted it for free online after the city refused to pay them.
City officials have said there’s no evidence that resident information like names, addresses and phone numbers was affected.
They say its because bill payment information, like credit card numbers, is generally handled by “cloud-based” applications and should not have been affected by the hack.
Timeline
The city detected the attack on July 25 and started working to contain the threat within its computer systems. On July 28, the city fully shut down its networks to prevent more damage.
One of the first big hurdles was for the city to pay employees on time. City human resources had to set up a makeshift office and manually build new spreadsheets to handle payroll. They were able to send out checks by the Aug. 8 payday.
After resetting credentials, St. Paul city employees checked with technology staff to ensure their devices are installed with security software in this area of the Roy Wilkins Auditorium basement, pictured Saturday, Aug. 9, 2025. (Alex Derosier / Pioneer Press)
Two weeks after the attack, the city had set up a sprawling operation in the basement of Roy Wilkins Auditorium at the RiverCentre in downtown St. Paul for more than 3,000 employees to report in person for new login credentials.
City employees started showing up on Sunday, Aug. 10, and the effort took several days. The center was open from 6 a.m. to 10 p.m. Officials dubbed it “Operation Secure St. Paul.”
St. Paul had to borrow computers from Bloomington, Eden Prairie, Elk River, Minneapolis and Sherburne County to run the reset operation, Wascalus said.
As Carter declared a state of local emergency, Gov. Tim Walz on July 29 activated the Minnesota National Guard’s 177th Cyber Protection Team to aid the city in the effort. They worked with the city from July 29 to Aug. 17.
Hackers posted data on Aug. 11, though Carter called the contents “varied and unsystematic.” Data came from a network drive used by the Parks and Recreation department where employees stored personal files and was not tied to core systems like payroll or licensing, the mayor said.
Files included images of employee identification cards submitted to human resources, work documents, or even “personal items like recipes,” according to the city.
Once the more than 3,000 employees were cleared, the city slowly started restoring services.
Ramsey County Manager Ling Becker told the Ramsey County board at a recent meeting that the county and St. Paul had restored their email connection on Aug. 25.
St. Paul was one of six government bodies in Minnesota attacked with ransomware in the last year, Carter said.
On Aug. 4, the city of North St. Paul said its police department had been targeted in a hack that may have compromised “some data.”
Related Articles
MCA scores flat for MN students, St. Paul Public Schools sees slight improvements
West St. Paul police: Officer fatally shot man who fired at police during standoff
As The Lexington turns 90, a public celebration and a new chef
Molly Coleman is seated on the St. Paul City Council
Here’s a look at the University of St. Thomas’ Lee and Penny Anderson Arena as opening nears
Leave a Reply