Municipal Cybersecurity: St. Paul Attack Reveals City Risks
The digital siege of America's cities is intensifying at an alarming pace, and municipal cybersecurity has become more important than ever. When the City of St. Paul, Minnesota, was forced to shut down its entire network in July 2025 following a ransomware attack, it joined a growing list of municipalities caught in cybercriminals' crosshairs. With ransomware incidents surging 126% year-over-year in Q1 2025 alone, local governments face an unprecedented threat that goes beyond technology; it strikes at the heart of public services that millions of Americans depend on daily. In this exclusive analysis, Andy Maus, Head of Cyber Recovery Services at DriveSavers Data Recovery, dissects the St. Paul incident to reveal why cities have become prime targets, examines the staggering financial toll of municipal cyber attacks, and provides a roadmap for building resilient defenses before disaster strikes. As cybercriminals continue to exploit the unique vulnerabilities of cash-strapped municipal networks, the question isn't whether your city will be targeted—it's whether it will be prepared.
How the St. Paul Ransomware Attack Raised Public Sector Cybersecurity Awareness
By Andy Maus – Head of Cyber Recovery Services at DriveSavers Data Recovery
What happens when a major U.S. city is forced to shut down its own network? On July 25, 2025, the City of St. Paul, Minnesota, detected suspicious activity in its computer systems. By July 29, officials had taken most of the network offline to contain what they initially called a “digital security incident.” Weeks later, it was confirmed to be ransomware.
The St. Paul cyberattack disrupted city services, forced employees to reset credentials and replace equipment, and left residents waiting for access to certain online systems. Emergency services and utilities remained operational, but the incident revealed a reality that professionals in cybersecurity and digital recovery know all too well: municipalities are uniquely exposed to escalating attacks.
That vulnerability isn’t isolated. According to Check Point Research, ransomware groups claimed more than 2,200 victims worldwide in Q1 2025 — a 126 percent increase over the same period in 2024.
St. Paul’s case offers more than a local crisis. It’s a window into why city governments are under siege, how they're forced to respond, and what the path to resilient public-sector cybersecurity could look like.
Anatomy of the St. Paul Incident
When St. Paul officials discovered irregularities in their network, the first step was to contain the problem. That meant shutting down internal systems, isolating accounts, and forcing widespread password resets. For city employees, it wasn’t just a technology issue — it disrupted how departments carried out everyday operations, from billing services to basic administrative tasks.
In the earliest stages, city leaders described the situation as a “digital security incident.” That choice of words was intentional. Confirming ransomware too early can create unnecessary panic, affect negotiations with attackers, or misrepresent the facts before forensic teams have completed their work. By the time officials later confirmed ransomware, the deliberate early language had already helped buy time for investigators and IT staff to determine the scope of the compromise.
Incidents like this also highlight the challenge of scale. St. Paul employs more than 3,000 people across multiple departments, each with its own systems, vendors, and security practices. For investigators, mapping out how deeply an attacker has moved within a sprawling municipal network is a painstaking process. Every day of uncertainty carries risk for public trust, but moving too quickly risks misinformation — a difficult balance that cities across the country are still learning to navigate.
Why Municipalities Are Prime Targets
St. Paul is far from alone. Municipalities account for a disproportionate share of ransomware victims worldwide, and the reasons are both structural and financial. Industry estimates suggest that between 35 and 45 percent of ransomware attacks target local governments — not because their data is any more valuable than the private sector, but because they may lack the budget to address all of their security requirements.
Most city IT departments are asked to secure sprawling networks across many departments on tight budgets, often with outdated hardware and legacy software that are challenged to keep up with today’s threat landscape. Adding to that quandary, local governments frequently struggle to attract and retain experienced cybersecurity staff, who can earn far more in the private sector. As the Cybersecurity and Infrastructure Security Agency (CISA) has noted, the gap between available resources and actual risk makes municipalities especially vulnerable.
The result is a perfect storm: underfunded technology, aging infrastructure, and overextended personnel. Cybercriminal groups know this, and they exploit it. For attackers, cities are tempting targets because even relatively small disruptions can cause outsized pain. Shutting down billing systems, police records, or public school networks creates immediate pressure to pay a ransom — and even if the ransom isn’t paid, the recovery costs are often staggering.
These systemic weaknesses are why incidents like St. Paul’s continue to repeat across the country. Without greater investment and planning, municipalities will remain among the easiest — and most frequent — ransomware targets.
Lessons from Other City Attacks
St. Paul’s ransomware attack is part of a broader pattern. Across the United States, municipalities have faced increasingly costly and disruptive incidents — each one reinforcing how difficult recovery can be when systems that support daily life are taken offline.
In 2019, Baltimore, Maryland, was hit with RobbinHood ransomware that shut down multiple city services. The ransom demand was just $76,000 in Bitcoin, but the ultimate recovery bill topped $18 million after months of work to restore data, rebuild infrastructure, and strengthen defenses.
The year before, Atlanta, Georgia, experienced a SamSam ransomware attack that crippled everything from police services to municipal courts. Officials refused to pay the ransom of roughly $50,000, but recovery costs quickly ballooned to at least $2.6 million — and some systems were permanently lost.
More recently, in July 2025, Ridgefield Public Schools in Connecticut detected a ransomware attempt in progress. By taking systems offline immediately and engaging law enforcement, administrators prevented a full lockout. The district still endured disruption, but early detection helped avoid a worst-case scenario.
Comparing the Costs of Municipal Ransomware Attacks
| City / Year | Ransom Demand | Estimated Recovery Costs | Key Takeaway |
| Baltimore, MD (2019) | $76,000 | $18.2 million | Refusal to pay led to massive recovery expenses |
| Atlanta, GA (2018) | $50,000 | $2.6 million+ | Some systems are permanently lost despite recovery |
| Ridgefield, CT (2025) | Attempted (blocked early) | Minimal disruption | Early detection avoided a full lockout |
These cases highlight two consistent realities: the financial toll of ransomware almost always exceeds the ransom demand itself, and swift, coordinated response can make the difference between temporary disruption and catastrophic loss. For municipal leaders, the lesson is clear — waiting to build resilience until after an attack is simply too costly.
Best Practices: Building Cyber Resilience
The lesson from St. Paul, Baltimore, Atlanta, and countless other municipalities is clear: waiting until after an attack to strengthen defenses is too expensive. Building resilience requires deliberate planning, investment, and practice. Based on both experience and established frameworks like those from CISA, here are six essential steps cities can take:
- Fund cybersecurity as critical infrastructure. Just as roads and bridges need maintenance, so do digital systems. Allocating budget for up-to-date hardware, software, and security tools reduces the chance of attackers exploiting legacy weaknesses.
- Adopt zero-trust principles. Assume every user, device, and connection must be verified. Segment networks so a compromise in one department doesn’t cascade across the city.
- Train employees regularly. Phishing and social engineering remain the leading entry points for attackers. Mandatory awareness training, plus simulated phishing exercises, can significantly reduce risks.
- Prepare and practice an incident response plan. CISA recommends creating a documented plan with clear roles, holding statements, and escalation procedures. Cities should rehearse tabletop exercises so responders know exactly how to proceed under pressure.
- Test backups and recovery processes. Backups are only as good as the ability to restore them. Municipalities should keep offline or immutable backups, then regularly test restoration to ensure critical data can be recovered quickly and securely.
- Securea trusted data recovery partner in advance. Ransomware can encrypt both live systems and backups. Having a pre-vetted data recovery provider — like DriveSavers Data Recovery — built into your incident response plan ensures cities can move immediately into restoration mode without scrambling to find outside help in the middle of a crisis.
Building resilience is about security, protecting sensitive data, and ensuring continuity..The cost of preparation is always less than the expense of restoring systems, rebuilding infrastructure, and regaining public trust after a ransomware attack.
FAQs on Municipal Cybersecurity
Even with stronger defenses, questions remain whenever a city suffers a cyber incident. Here are some of the most common concerns, based on cases like St. Paul and other municipal attacks.
What is the difference between a “digital security incident” and ransomware?
A “digital security incident” is an umbrella term covering any unauthorized activity on a network — including phishing, denial-of-service, or supply chain compromises. Ransomware is one specific type, where attackers encrypt files and often exfiltrate sensitive data before demanding payment. Cities often start with broader language until forensic teams confirm the exact type of attack.
Why do cities delay announcing details?
Disclosing too much too soon can create panic, hinder investigations, or even give attackers leverage. IT teams first need to identify which systems are affected, whether data was stolen, and what recovery options exist. This process can take days or weeks in large municipal networks.
Are residents’ personal accounts at risk during a city cyberattack?
Generally, no. In most cases, city system compromises do not extend to residents’ personal email, banking, or home internet. However, services tied directly to city systems — like online utility billing or permit applications — may be temporarily unavailable until systems are confirmed safe to use.
Should cities pay the ransom?
Law enforcement and cybersecurity experts advise against paying whenever possible. Payment does not guarantee full data restoration and may encourage further attacks. Instead, resilient cities rely on tested backups, recovery partners, and incident response plans to restore operations without rewarding the attackers (CISA #StopRansomware).
What can residents do to protect themselves?
Back up devices regularly, keep software up-to-date, and enable multi-factor authentication. These practices protect against many of the same attack vectors criminals use against municipalities — phishing, credential theft, and malware.
Conclusion
The ransomware attack in St. Paul was not an isolated crisis — it was part of an ongoing international trend that continues to expose the gaps in municipal cybersecurity. From large US cities like Atlanta and Baltimore, to smaller school districts like Ridgefield Public Schools, the lesson is clear: attackers view cities as vulnerable not because their data is more valuable, but because their defenses are often weaker.
Resilience will not come from luck or wishful thinking. It requires sustained investment, training, and planning. Municipalities must treat digital infrastructure with the same seriousness as physical infrastructure, adopting zero-trust principles, rehearsing incident response, and testing recovery strategies before they’re needed. Just as importantly, they need to communicate openly with the public — because transparency builds trust even in the midst of disruption.
St. Paul’s experience should serve as a wake-up call. Ransomware is no longer a rare, headline-making event; it is part of the operating environment for every municipality. Those that prepare today — with strong defenses, trusted recovery partners, and a culture of transparency — will be far better positioned to withstand tomorrow’s inevitable attacks.
About the Author:
Andy Maus is Head of Cyber Recovery Services at DriveSavers, leading initiatives that help organizations recover critical data following cyber incidents, ransomware attacks, and other security breaches. He joined DriveSavers in 2023 after more than two years at Arete Incident Response, where he introduced Data Recovery Services to the firm’s restoration portfolio, expanded the technical operations team from 10 to over 70 specialists, and built strategic alliances with SentinelOne, Dell, and Presidio. Earlier, at Ontrack Data Recovery, he oversaw global sales, supporting complex data restorations for clients across 22 countries. With more than three decades in the technology industry—including leadership roles at Dell, Mitel, and Level 3 Communications—Andy brings deep experience in cyber incident response, data recovery methodologies, and large-scale technical operations.