A single RAT opened the gates — unleashing 43GB of stolen files and weeks of digital chaos.
On July 25th, 2025, the cybersecurity systems of St. Paul warned the city about a cyberattack
disguised as a glitch.
Immediately, professionals saw the shadow of a massive threat and pulled the lever on the city’s
digital engine. The entirety of Minnesota whispered and tiptoed in darkness for weeks, while cyber
analysts tried to contain the attack. And on August 10th, it was confirmed that this was a ransomware
attack conducted by the Interlock ransomware group. It was found that they had access to a trove of
43GB, spanning nearly 66,000 files from Parks & Recreation drives, which included everything from work
documents and IDs to personal items.
In addition, according to threat intelligence, the attackers gained access to St. Paul’s systems using
a custom SystemBC RAT (Remote Access Trojan) — which is a malware that creates SOCKS5 network tunnels
in the victim’s network and connects to its C2 server using RC4-encrypted protocol.
Furthermore, this suspicious behavior was detected by the city’s security systems — possibly via its
Endpoint Detection and Response (EDR) systems, which serve as real-time defenses on individual devices.
To prevent the escalation of the attack, officials decided to implement a full shutdown of internal
networks, public Wi-Fi, and online payment portals. Upon being asked for ransom, the officials refused
and continued to attempt to suppress the damage, which resulted in a leak of 43GB of data on Interlock’s
website, exposing thousands of sensitive records.
Officials said there was no evidence of widespread exposure of residents’ Social Security numbers; the
leaked data largely came from a Parks & Recreation shared drive and included work documents, IDs, and
some personal items. Now, St. Paul is in recovery—patching systems, resetting passwords, and building
digital walls higher than ever before.
Bill payments halted, trust shattered, and millions lost — the hidden cost of saying no to ransom.
As a repercussion to resisting ransom payments, St. Paul lost 43GB of employee and government data.
Citizen transactions froze, city revenue disrupted, and public trust crumbled— all due to service delays.
Public disappointment and distrust uproar was fueled by frustration as systems went down; an inconvenience
to paying bills and approvals of permits or licences. WiFi disconnections became common and everyday
administrative tasks stalled, leaving both residents and businesses at a standstill. What should have been
routine interactions with the city suddenly turned into obstacles, amplifying the perception that St. Paul
was digitally unprepared for a crisis of this scale. An estimated tens of millions of dollars plunged in
recovery expenses.
The breach didn’t just affect residents — it also disheveled St. Paul’s own workforce. Over 3,500 employees
were forced to reset accounts in a rushed emergency setup, curating stress and staggering morale. The leak
of internal emails and records hampered staff confidence in the city’s ability to protect sensitive
information. Similarly, the exposure raises regulatory and policy risks: pressure collating for tighter state
and federal oversight of municipal cybersecurity, while potential lawsuits from employees loom if leaked data
leads to harm. The crisis also raises the question — should cities be required to carry cyber liability
insurance, just as corporations do, to safeguard against the financial shocks of future attacks?
Cyberattacks on cities don’t just disrupt government—they generate the negative ripple effect into the wider
economy. When permits, licenses, and payments are stalled, local business activity slows, creating structural
problems. Protecting city systems is now just as important for the economy as keeping banks running. In the long
run, this will likely push governments to spend more on strengthening municipal cyber defenses.
