St. Paul hit by Interlock ransomware attack, 43GB of sensitive data leaked, city refuses ransom, launches Operation Secure St. Paul with FBI and National Guard.
A major cyberattack on the city of St. Paul, Minnesota, has been claimed by the Interlock ransomware group. The attack, which began on Friday, July 25, 2025, disrupted online payment systems and services at libraries and recreation centres for the city of over 311,000 people.
In response to the incident, Minnesota’s Governor Tim Walz activated the National Guard’s cyber protection unit to help with the recovery (PDF). The city’s mayor, Melvin Carter, acknowledged it was a ransomware attack and made it clear that St. Paul would not pay the ransom.
This stance is a public refusal to negotiate with the attackers. Reportedly, the attack was powerful enough that it even delayed the mayor’s State of the City address.
For your information, Interlock, a ransomware gang that began its operations in October 2024, claims to have stolen 43 GB of data from the city. To prove their claim, Interlock posted images of what it says are documents taken from St. Paul’s private servers. They accuse the city of being “careless and irresponsible” with its security, which has put residents’ data at risk.
“The government of the city of Saint Paul, Minnesota, including its representatives and employees, is extremely careless and irresponsible about the security of their city, because of this, a large part of the infrastructure was damaged, brought a lot of losses and damage! Including the worse position were residents whose data was compromised in the internet!” the group stated.
The city has not yet verified the data theft claim, and officials have not disclosed the specific data stolen or how the hackers breached the network. However, the mayor’s office has stated that it has maintained access to all its data and systems. The city is calling its recovery effort Operation Secure St. Paul.
As a critical first step, officials are initiating a global password reset for all of the city’s approximately 3,500 employees to secure individual user accounts and city-issued devices. The FBI is leading the investigation, working alongside the National Guard’s IT division to help restore critical city systems once the password reset is complete.
At the same time, Hackread.com can confirm that the ransomware group has leaked over 42 GB of data belonging to the city of St. Paul for free download. The data is split into two folders, "pkusers" (40.8 GB) and "Smithama" (2.1 GB). The "pkusers" folder alone contains 316 subfolders.
The leaked St. Paul city data contains thousands of sensitive files, including over 3,000 HR and employee-related records such as job descriptions, performance reviews, and internal evaluations. Nearly 4,800 documents relate to work plans, memos, draft proposals, and internal studies. More than 2,000 files appear to be financial or administrative, including invoices, budgets, and payment records.
The leak also holds at least 280 files containing identification and personal data such as passport scans and driving licenses, along with hundreds of email archives and internal correspondence. Together, the material offers a detailed and highly sensitive look into the city’s internal operations.
The St. Paul incident is not an isolated event. According to Rebecca Moody, Head of Data Research at Comparitech, its researchers have documented 46 confirmed ransomware attacks on US government entities so far in 2025. This shows a worrying trend of hackers targeting public organisations to cause mass disruption.
“Now, the City of St. Paul needs to respond to confirm what data has potentially been impacted and who has been affected. In the meantime, we highly recommend residents and employees remain on high alert for any potential phishing campaigns (e.g. emails, texts, or calls reporting to be from St. Paul) and monitor their accounts for any suspicious activity,” Moody concluded.
