Ransomware gang claims attack on St. Paul city government

A ransomware gang the FBI warned the public about last month is claiming to have carried out a cyberattack that has disrupted large parts of St. Paul’s city government.

The Interlock ransomware gang added the Minnesota city to its leak site on Monday, claiming to have stolen 43 gigabytes of data. No payment deadline or ransom demand was listed. City and state officials did not respond to requests for comment. 

It is unclear what data was stolen in the attack but Mayor Melvin Carter said during a press conference on July 29 that the city is most concerned about data related to government employees. Resident data is held in a cloud-based application and was not impacted by the ransomware attack, city officials have said. 

On Sunday, a city spokesperson confirmed to local news outlets the city was hit with a ransomware attack but said it has not paid the ransom.

"We've been contacted by the threat actor with a specific demand for a specific ransom amount. To be clear, we have not paid that and their threat was that they would release some data ... if they weren't able to get paid," Carter told reporters.

"We've maintained access to all of our data the entire time and control of all of our systems the entire time. We are doing what I lovingly refer to as a grand control-alt-delete of all of our city systems. That's our city servers; that's all of our devices, putting upgraded cybersecurity software on them.”

Carter added in an MPR News interview that city officials are going through every server and device under the government’s control and in the next few days will manually reset every city employee’s passwords. The city will begin to bring systems back online this week, he explained.

He defended the city’s response, noting that they cannot share as much information as they’d like because of the FBI’s investigation into the attack. 

“The magnitude and the sophistication of cyberattacks have just blown up over the last, even, five years. We're seeing literally every government unit, every school, every hospital, you know, every institution has to be concerned and has to think about their kind of cybersecurity protocols,” Carter said.

The impact

St. Paul’s government has struggled to function for weeks after the ransomware attack was announced. 

While 911 and other emergency services are still available, a range of other crucial government functions have been hampered by the attack. People still cannot pay utility bills online and things like permits or business licenses have to be done with pen and paper.  

The online payment portal for water bills is offline and the government said it “cannot accept water bill payments in any form — online, by phone, or in person.” Late fees will be waived for the time being. 

City libraries do not have Wi-Fi, computer or printer services available and staff cannot create new accounts for those seeking them out. Alternative phone numbers and emails were created for residents to contact if they have questions. 

The city said last week that they have been made aware of hackers targeting the city’s more than 300,000 residents with fake invoices from the government. They urged residents not to click on any links or email attachments if the origin is not clearly identified.

The attack was so damaging to city infrastructure that Minnesota governor Tim Walz activated the National Guard to assist city officials in the recovery effort. 

Just one week before the St. Paul ransomware attack was announced, the FBI released a warning about the Interlock ransomware gang.

The advisory said the ransomware strain is being used to target critical infrastructure and businesses across North America and Europe. U.S. law enforcement added that analysts have identified potential links between Interlock and Rhysida — another ransomware operation known for its attacks on governments around the world. 

Interlock was behind dangerous attacks this year that shut down the dialysis treatment company DaVita and one of the largest healthcare systems in Ohio.