St. Paul confirms ransomware attack, FBI investigates

Over the next few days, about 3,500 city employees will be required to do an in-person password reset and device security check.

ST PAUL, Minn. — On Sunday, St. Paul leaders confirmed they are dealing with a ransomware attack targeting the city’s internal systems. 

It’s been more than two weeks since a cyberattack forced the city of St. Paul to proactively shut down its network. 

RELATED: MN National Guard deployed; St. Paul declares state of emergency in response to cyberattack

“We’ve been contacted by the threat actor with a specific demand for a specific ransom amount. To be clear, we have not paid that and their threat was that they would release some data… if they weren’t able to get paid,” Mayor Melvin Carter explained. 

According to Carter, they have yet to find any evidence that any data was taken. 

The city said it successfully backed up all its data and is testing servers as it works toward restoring internal systems. 

“We’ve maintained access to all of our data the entire time and control of all of our systems the entire time. We are doing what I lovingly refer to as a grand control-alt-delete of all of our city systems. That’s our city servers; that’s all of our devices, putting upgraded cybersecurity software on them,” Carter said. 

In response, the city has launched Operation Secure Saint Paul. Over the next few days, about 3,500 city employees will be required to do an in-person password reset and device security check. On Sunday, city employees could be seen entering Roy Wilkins Auditorium to complete the process. 

“After our reset and our device security that has been pushed out to all of our devices, we’re going to start reopening our system. So our systems are sitting there ready for us to start opening. This is going to be a very slow and cautious reopening,” said Director Jaime Wascalus of the Office of Community and Technology. 

The city is reassuring citizens that, beyond there being no evidence any data was taken, the majority of resident information collected by the city is stored on cloud-based applications which were not impacted by the ransomware attack. 

“We have some employment data for employees who work here, but for the most part, the vast majority of city residents… the city doesn’t have your Social Security number. It doesn’t necessarily have sensitive data that could be breached or could be shared,” Carter said. 

During this time, emergency services have been operating, as usual. Libraries, parks and recreation centers remain open, but the WiFi is still down. 

According to the city, the FBI is leading a criminal investigation parallel to its response. 

“The message is be vigilant, be careful. Somebody asked me recently, is this something that I think governments need to be worried about moving forward? And the answer is yes. But much larger than that, this is something that we all need to be concerned about moving forward,” Carter said. “There are so many different ways that these threat actors work to try to get into our organizations and into our personal lives, to try to make contact and try to find any way to… get a toehold in so that they can commit crimes online.” 

You can read more about the city’s response here.