Digital assault that shut down St. Paul services was a ransomware attack, city officials say

St. Paul officials say the cyberattack that has wrought havoc on the city’s online services for weeks was a ransomware attack, a sophisticated form of online assault in which hackers demand payment in order to let users back into their systems.

The city paid no money and instead shut down its network to isolate the threat, according to a written briefing provided by city spokeswoman Jennifer Lor.

Because of the ongoing criminal investigation, the city is limited in what information it can share, the briefing said.

The cyberattack was detected on July 25 and led to the shutdown and subsequent disruptions of internet service at city libraries and recreation centers. In addition, City Hall lost its Wi-Fi, and online payment systems that handle water and sewer bills did not work.

However, St. Paul’s 911 and other emergency response systems remained functional.

The city has been working with a cybersecurity unit of the Minnesota National Guard and the FBI to secure its systems and find the source of the attack.

To counter the hack, the city has backed up all data and is testing servers as it restores and rebuilds its internal systems, according to the briefing.

“The city maintains very little data” on residents, Mayor Melvin Carter said after the attack.

“The city doesn’t have Social Security numbers on random residents. The city doesn’t maintain that type of sensitive information on community members who don’t have some fiscal relationship with the city.”

Cyberattacks in other cities have exposed personal data. In Dallas, for example, a 2023 attack exposed the information of more than 30,000 people.

In ransomware attacks, a malicious actor typically encrypts files, making them useless, and then demands that the target pay to have them decrypted.

After St. Paul detected the attack, city computer networks were shut down in an effort to contain it. Those shutdowns — and not the attack itself — hamstrung systems across the city and forced St. Paul into analog operations.

At one point last week, the Department of Safety and Inspections had 950 voicemails to return, spokesman Casey Rodriguez said. By Thursday afternoon, the backlog was less than 650.

To secure city accounts and devices, the next step will be to reset passwords for all 3,500 St. Paul government employees.

In an email last week, Deputy Mayor Jamie Tincher asked all workers to report to Roy Wilkins Auditorium over the next few days to complete the process. City services will be gradually restored afterward.

Carter and other city officials have said that they have been reluctant to share information because the attackers might be listening. But as the cyberattack enters a third week, criticism of the city has emerged.

Last week, state Republican lawmakers sent Carter a letter asking for more information about the impact of the attack. And Carter’s best-known challenger for mayor in November, DFL Rep. Kaohly Vang Her, called for transparency.