Facebook X-twitter Linkedin
Call Us: 301.541.3237
blacksmith infosec compliance service caas

When Ransomware Becomes a Civic Emergency: What Cities Must Learn from St. Paul

Share Article:

Table of Contents:

When ransomware hits a city, it stops being an IT story and becomes a public safety problem. In 2025, St. Paul, Minnesota gave us a template for what that escalation looks like.

When “IT Outage” Turns into a State of Emergency

On July 25, 2025, St. Paul began detecting suspicious activity on its internal networks, the first sign of what would become a full‑blown cyber crisis. Over the next few days, the incident metastasized from “weird logs” into a deliberate shutdown of city systems to contain a coordinated digital attack.

By July 28, officials had pulled the plug on core networks: online payment portals, public Wi‑Fi, and internal applications were taken offline to prevent further spread. Emergency services like 911 stayed operational, but most digital conveniences that underpin modern city life blinked out.

On July 29, Mayor Melvin Carter publicly confirmed the incident was not a glitch but a criminal cyberattack and declared a local state of emergency, unlocking faster decision‑making and resources. That same day, Minnesota’s governor activated the National Guard’s cyber protection unit — its first in‑state deployment — to reinforce local and federal responders. At that point, St. Paul’s “IT outage” was formally a civic emergency.

This is the pattern worth watching: detection, defensive shutdown, public emergency declaration, and military‑grade cyber support. It will not be the last time a city runs this play.

The St. Paul Ransomware Playbook

St. Paul’s attack followed a now‑familiar ransomware arc: intrusion, containment, extortion, and public data leak.

  • The city shut down its information systems as a defensive move, sacrificing availability to save integrity and limit the intruder’s reach.

  • Investigators later confirmed the incident as a ransomware attack by a group using a variant known as “Interlock,” a profit‑driven ransomware‑as‑a‑service operation.

  • Guided by the FBI and National Guard, city leadership refused to pay the ransom, accepting short‑term disruption in exchange for longer‑term leverage and precedent.

The attackers responded by dumping about 43 gigabytes of stolen data from a Parks and Recreation network drive — ID images, work documents, even stray personal files — online. Relative to the roughly 153 terabytes of data the city maintained, it was a small slice, but it was enough to create reputational and privacy fallout. Recovery was slow: weeks later, St. Paul reported only about 75% of systems restored and was still dealing with the operational and political aftershocks.

You can read this as a cautionary tale about patching or backups. It’s more useful to read it as a case study in how cyber incidents now trigger the same emergency management machinery as floods, blizzards, or blackouts.

Why This Story Will Repeat

St. Paul was not an outlier; it was an early warning. The city was one of at least six Minnesota government entities hit by ransomware within a year. Other U.S. municipalities and critical infrastructure operators have faced similar attacks, revealing common weaknesses: underfunded IT, legacy systems, patchwork vendors, and political turnover that makes long‑term investment hard.

From the attacker’s perspective, cities make excellent targets:

  • They run sprawling, interconnected systems — from billing to permitting to traffic control — often with brittle security and opaque dependencies.

  • They hold valuable data but are constrained by transparency laws, political scrutiny, and limited budgets, all of which increase pressure when things go wrong.

  • Ransomware gangs know a successful playbook scales. Once one capital city is forced into emergency measures, every similar jurisdiction becomes a tempting test case.

This isn’t just about city halls. Counties, school districts, utilities, transit agencies, and small regulators share many of the same risk factors and often weaker defenses. The St. Paul playbook — a cyberattack escalating to state of emergency and National Guard support — is likely a preview, not an anomaly.

From IT Incident to Public Safety Event

The single most important mental shift for municipal leaders is to categorize major ransomware as a public safety and continuity of government event, not just a technology incident.

St. Paul’s response shows how this reframing works in practice:

  • The city activated its emergency operations center and pulled in state and federal partners, including the National Guard’s Cyber Protection Team, to coordinate technical response and civic continuity.

  • Cyber response was folded into existing emergency management structures rather than handled as a siloed IT problem. That alignment allowed faster coordination across departments and agencies.

For other cities, this implies a few governance upgrades:

  • Make sure cyber incidents are explicitly covered in emergency operations plans and hazard mitigation strategies, with clear thresholds for EOC activation.

  • Define incident command roles in advance: who is IC, who handles public information, who owns continuity of operations, and how IT/security plugs into that structure.

  • Practice escalation: simulate the move from “IT is working on it” to “we are declaring a local emergency” so that no one is improvising under pressure.

When the Wi‑Fi at libraries goes down, you can wait on hold with a vendor. When there is a credible threat to essential city services, you need the same discipline you’d apply to a chemical spill or tornado.

Continuity of Operations for a Crypto‑Locked City

If you run a city, the right question is not “What if we get hit?” It’s “What still works when we get hit?”

1. Decide what must never fail

Start with a brutally short list of non‑negotiables:

  • 911 and dispatch systems.

  • Water, sewer, and power coordination (even if utilities are nominally separate entities).

  • Public health and emergency medical coordination.

  • Payroll and treasury functions needed to keep people and critical vendors paid.

St. Paul’s experience shows that keeping 911 running while other systems are offline is possible but requires forethought and technical segregation.

2. Map civic services to technical dependencies

For each essential service, identify:

  • Which applications, databases, and networks it depends on.

  • Which vendors, cloud services, or shared infrastructure underpin those components.

  • What the manual fallback is if a given system disappears.

During St. Paul’s shutdown, loss of online payments and internal apps did not collapse emergency response but materially affected everyday services like billing, licensing, and public internet access. You should know today which of your services would be similarly impacted.

3. Build degraded‑mode playbooks

Degraded mode is where you will live during a major ransomware event. That means:

  • Paper forms for critical processes, pre‑printed and stored where staff can get them.

  • Manual routing for key workflows (e.g., radio or phone for dispatch when CAD is degraded).

  • Physical, non‑network‑dependent access controls for secure locations.

St. Paul’s post‑incident investments — phishing drills, tabletop exercises, and employee training — reflect a recognition that human workarounds are part of resilience, not an admission of defeat.

4. Treat backups as a promise, not a checkbox

Having backups is not the same as being able to restore what matters in 24–72 hours. A realistic continuity plan should answer:

  • Which systems can you restore quickly, and from where.

  • How you will prioritize restoration when you cannot bring everything back at once.

  • How you will verify backup integrity before you are in crisis.

St. Paul’s multi‑week, phased restoration underscores that you will not be flipping a single switch to return to normal; you will be triaging.

Talking to Citizens When the City Is Under Digital Fire

St. Paul’s leaders had to communicate in the middle of uncertainty: acknowledging an ongoing criminal investigation, explaining service disruptions, and addressing privacy fears while not giving attackers useful information.

Cities can borrow several communication lessons:

1. Prepare messages before you need them

Have pre‑reviewed templates for:

  • Initial acknowledgement of a cyber incident and what residents should (and should not) do.

  • Service status updates (what’s down, what’s up, expected timelines).

  • Guidance about payments, scams, and misinformation.

St. Paul provided regular public updates through an incident information hub as recovery progressed, which helped maintain some trust even when specifics were scarce.

2. Plan for degraded digital channels

If your main website or email is offline, you will need:

  • Pre‑coordinated relationships with local media for emergency broadcasts.

  • Use of social channels hosted on unaffected platforms, if available, or regional/state channels that can amplify your messages.

  • Physical signage and in‑person updates at city facilities for residents who don’t live online.

3. Balance transparency and operational security

St. Paul disclosed that the attack was ransomware, that a specific group claimed responsibility, and that a defined quantity and type of data was leaked, while declining to detail the intrusion path or ransom demand. That is a good pattern: enough detail to be credible and accountable, but not enough to invite copycats or complicate forensics.

4. Actively counter misinformation

Any major outage will produce rumors — about water quality, crime, taxes, or data exposures. Designate a team to monitor public channels and rapidly correct falsehoods. Involve trusted community leaders where possible to carry accurate messages into neighborhoods.

Minimum Tabletop Scenarios for Municipal Ransomware

St. Paul’s experience has already prompted training and simulations for thousands of city employees, including phishing drills and cyber “war games.” Other cities should not wait to be a case study; they should run their own exercises now.

Here are three scenarios worth institutionalizing:

Scenario 1: “City Hall Dark Monday”

  • Monday 8 a.m.: internal email, ERP, and permitting systems are offline after a weekend ransomware event.

  • Exercise goals: who declares an incident, how you communicate with staff, what gets prioritized for restoration, when you escalate to emergency management.

Scenario 2: “911 Under Strain”

  • Dispatch systems are degraded; call volumes are normal or high (e.g., due to a storm), but CAD is unreliable.

  • Exercise goals: how dispatchers fall back to manual processes, how police/fire/EMS coordinate, and what changes in response times and triage.

Scenario 3: “Data Dump Deadline”

  • Attackers threaten to release sensitive data — employee records, police reports, case information — on a set date unless paid.

  • Exercise goals: decision‑making about ransom, legal/privacy implications, public messaging, and support for affected employees or residents.

Each scenario should bring together IT/security, emergency management, law enforcement, fire/EMS, legal, HR, finance, communications, and elected leadership. Success is not “we solve the scenario”; it is “we discover brittle assumptions and fix them before reality tests us.”

Politics, Budgets, and Doing the Possible

Ransomware response is not just technical; it is inherently political. St. Paul’s leaders had to explain costs, justify decisions not to pay a ransom, and commit to future investments while services were still coming back online.

For other cities:

  • Frame cybersecurity as resilience and public safety, not an IT line item. Use St. Paul and peers as concrete evidence that the risk is real and near‑term.

  • Prioritize low‑regret investments: identity hardening, tested backups, incident response retainers, and recurring tabletop exercises. These buy you more resilience per dollar than another niche tool.

  • Use high‑profile incidents as political cover to modernize governance — incident command, continuity planning, procurement agility — not just to buy hardware and software.

The social contract is shifting. Residents increasingly expect that cyber incidents will happen, but they also expect their city to be honest, prepared, and resilient when they do.

The New Civic Normal

St. Paul’s 2025 ransomware crisis marked a turning point: a U.S. capital city invoking emergency powers and National Guard cyber units to defend itself from a digital extortion crew. That moment crystallized a reality many practitioners already understood—ransomware has joined hurricanes and power failures on the list of scenarios every city must plan for.

If you work in or with local government, the call to action is direct. Treat ransomware not as a distant headline but as a foreseeable hazard. Run one serious tabletop this quarter, identify at least three high‑impact gaps, and start closing them before you find yourself drafting an emergency declaration at 3 a.m.

Sources:

SOCIAL CYBERDEFENSE OF URBAN CRITICAL INFRASTRUCTURE

Lessons From a Major Cyber Attack on a City Government

St. Paul says cybersecurity breach was a ransomware attack. What does that mean?

St. Paul, Minnesota, fell victim to a cyberattack in July. It’s still recovering.

Additional Articles
cybersecurity reporting like the weather, compliance, MSP
From Alerts to Action: Teaching Execs to Read Cyber Risk Like a Weather Report
Read More
municipal ransomware
When Ransomware Becomes a Civic Emergency: What Cities Must Learn from St. Paul
Read More
Blacksmith free risk assessment tool for msp and vciso
Turning a Free Risk Assessment Into Your Client Security Language (Not Just a Compliance Check)
Read More

Check Out Our Compliance Podcast on Spotify!

Get NIST-y!