St. Paul doesn’t pay ransom for cyberattack

The hackers who attacked St. Paul’s city online services about two weeks ago dumped their stolen data online Monday after the city refused to pay an unspecified ransom.

On Monday, the city said the hacking group – identified as Interlock – made off with 43 gigabytes of the city’s 153 terabytes of data. The files posted online came largely from a shared network drive from the city’s Parks and Recreation Department.

Officials said they think the value of what was stolen was limited.

“Instead of trying to go and sell the data they had, they released it for free,” Mayor Melvin Carter said, on Monday during a news conference.

Carter said the decision not to pay the ransom was based off several factors – officials’ confidence that they were not going to lose access or control of St. Paul’s online system; the hackers did not demonstrate what data they had when asked; and the advice of cybersecurity experts.

Nevertheless, Carter said he has directed staff to offer a year of free credit monitoring and identify theft insurance to all city of St. Paul employees. Meanwhile, the effort to ensure that no security threat remains is ongoing – and Carter said Monday that some disrupted systems may go back online later this week.

Carter announced Monday the city had reset passwords for 2,600 out of about 3,000 city employees. On Tuesday, a city spokesperson said at least 900 employees still needed password resets.

Carter emphasized that it’s an “incredible operation” that will take time to complete. He said some systems may return online later this week.

“While the scope of what they stole from us is far smaller than what they’ve accomplished elsewhere, the fact remains: someone was inside our systems and once that happens there’s no way to guarantee they could not have accessed more,” he said.

The cyberattack was detected July 25 and led to the shutdown and disruptions of internet service at city libraries and recreation centers as well as online payment systems that handle water and sewer bills no longer working.

Carter described the hacking group as a sophisticated criminal organization that steals data from corporations, hospitals and city governments with the intention of selling it. Three days before the attack on St. Paul, the federal Cybersecurity and Infrastructure Security Agency posted an advisory warning for businesses and other institutions to protect from Interlock ransomware.