Winona County Hit by Two Ransomware Attacks in Three Months — Why Local Governments Keep Getting Hit Again

A small county in southeastern Minnesota is now dealing with its second ransomware attack in under ninety days. The first one hit in January, knocked systems offline for weeks, and led to a declared emergency. The second arrived on April 7 while the county was still implementing security improvements from the first. This time, the state sent the National Guard. The story of Winona County is not just a local government IT failure. It is a compressed, real-time case study in why ransomware actors return to the same targets, why recovery does not equal resilience, and why the gap between restoring operations and hardening infrastructure remains the most dangerous window in cybersecurity.

Location · Winona County, Minnesota

Winona County has a population of roughly 50,000 people. It sits along the Mississippi River, home to a state university, bluff country hiking, and the kind of county government infrastructure that handles property records, birth certificates, motor vehicle registrations, and court filings. It is the kind of place where a single ransomware event can stop someone from closing on a house, registering a car, or obtaining a death certificate for a family member. When the systems go down, the consequences are not abstract. They are tangible, immediate, and felt by people standing at a counter being told to come back later or try a neighboring county.

The Timeline: January Through April

The first ransomware attack was discovered on January 22, 2026. The county's IT systems were knocked offline, and County Board Chair Chris Meyer signed a declaration of local emergency under Minnesota Statute 12.29 subd. 1. Emergency services, including 911, fire, and EMS, continued operating without interruption, but administrative systems were severely impacted. Tax records, motor vehicle services, and three interconnected real estate databases — LandShark, OnBase, and LandLink — went dark. These systems are supplied by TriMin Government Solutions (a vendor specializing in Register of Deeds and County Recorder software, not the more commonly cited Tyler Technologies) and are the systems title companies and banks depend on to verify ownership during property transactions. County Recorder Bob Bambenek confirmed some real estate closings in the county could not be completed until systems were restored.

The county brought in third-party cybersecurity and forensics experts, coordinated with federal law enforcement, and began the slow process of recovery. By late February, roughly four weeks later, the county described the first incident as largely resolved. County Administrator Maureen Holte stated that stolen data had been restored, though she declined to say whether a ransom had been paid, whether insurance covered the cost, or whether personal data had been compromised.

Then on April 7, less than eleven weeks after the first attack was discovered, a second ransomware incident was detected on the county's network. The attack began on April 6 and was detected the following morning — a one-day gap that Governor Walz's executive order captures accurately where the county's public statement does not. County officials once again took systems offline to contain the threat. The DMV and vital statistics services — which depend on internet connectivity to the state — went down and remained unavailable as of April 11. Staff across the county reverted to pen and paper. Residents needing DMV services were directed to neighboring counties. E-Recording submissions were formally halted on April 8, with real estate submissions arriving by mail or drop box held until the date received rather than processed on receipt.

Holte confirmed in a public statement that the second attack was attributed to a different threat actor than the first. She also noted that the security improvements prompted by the January incident helped the county detect and respond to the April attack more quickly. That detail is important: it means the first attack did produce operational learning. The problem is that operational learning and operational hardening exist on different timelines, and the attackers moved faster than the upgrades could be completed.

The Repeat Target Problem

This is the part of the Winona County story that deserves the closest attention, because it reflects a pattern that extends far beyond one county in Minnesota.

Research from cybersecurity firm Cybereason has consistently shown that organizations struck by ransomware face an elevated risk of being hit again. In its 2024 study, Cybereason found that 78 percent of organizations that paid a ransom demand were subsequently targeted in a second attack. Of those repeat victims, 36 percent were struck by the same threat actor and 42 percent by a different one. In 63 percent of repeat cases, the second ransom demand was higher than the first.

Winona County officials have not confirmed whether a ransom was paid after the January attack. But the broader data raises a critical question regardless of payment: why do ransomware operators return to previously compromised organizations?

The answer lies in how ransomware ecosystems operate. Threat actors who compromise a network gain detailed knowledge of its architecture, its weaknesses, and its response capacity. That intelligence does not disappear when the ransom is paid or the systems are restored. It can be retained, shared, or sold. In the ransomware-as-a-service model, initial access brokers often sell network footholds to multiple buyer groups. A compromised network is not a closed chapter; it is a live lead that multiple criminal operators can exploit. Mandiant's 2026 M-Trends report found that "prior compromise" — access inherited from an earlier, separate intrusion — was the initial infection vector in approximately 30 percent of the ransomware incidents it investigated in 2025, nearly double the prior year's share. A staggering statistic in the same report: the median time between an initial access event and the hand-off to a secondary threat group has collapsed from more than eight hours in 2022 to just 22 seconds in 2025.

Even when the second attacker is genuinely different from the first — as Winona County officials indicated — the underlying conditions that made the first attack possible often persist during the recovery window. Unpatched endpoints, legacy authentication configurations, incomplete network segmentation, and residual footholds from the first intrusion can all leave the door propped open for a separate group to walk through.

Interactive · Think Like the Adversary Click to Reveal

Inside the Attacker's Decision Tree

Before returning to a previously compromised target, a ransomware operator (or an initial access broker selling the foothold) runs through a set of implicit questions. Walk through the tree below. Each node reveals the reasoning — and why Winona County triggered a "yes" on many of them.

01 Do I have a validated foothold, a known vulnerability, or a buyable access point? +

A previously compromised network is a warm lead. Credentials, backdoors, or mapped internal architecture from a prior intrusion may still be available through initial access brokers, affiliate forums, or residual persistence that was never fully purged.

WINONA ANGLE: After a January intrusion, reconnaissance data about the county's network layout was likely retained by the original operator or sold. Second-stage buyers do not need to rediscover the environment.

02 Is the target's security team distracted by something else? +

A security team consumed with post-incident investigation, vendor coordination, board reporting, and recovery operations cannot simultaneously monitor for new intrusions at the same depth. Attention is finite, and the first attack creates a predictable attention sink.

WINONA ANGLE: County IT was coordinating with forensics vendors, federal law enforcement, and state agencies while also running day-to-day operations. Monitoring surface area shrank while remediation work expanded.

03 Is the environment in a transitional state where controls are half-deployed? +

A network being re-architected is paradoxically less defensible than one that is either fully legacy or fully modernized. Partial EDR coverage, partially segmented networks, and newly created service accounts with loose permissions all create exploitable seams that did not exist before recovery began.

WINONA ANGLE: County administrators confirmed they were "in the process of implementing critical network improvements" when the second attack occurred. That transitional state is itself an attack surface.

04 Does the target have strong pressure to restore services quickly? +

Political pressure translates to payment pressure. A county whose residents cannot close property deals, register vehicles, or obtain vital records will face elected-official pressure measured in days, not months. That pressure shortens the window in which paying a ransom becomes the expedient option.

WINONA ANGLE: Property closings depending on LandShark, title searches, DMV services, and death certificate requests all drive direct constituent pressure on elected officials. This is a payment-pressure profile by design.

05 Will this target's previous response shape how it responds again? +

Operators study prior responses. Did the organization pay? Did it disclose? How quickly did it restore? These signals inform the playbook for a follow-on extortion attempt. A target that paid once has demonstrated willingness; a target that disclosed quickly has demonstrated limited tolerance for prolonged downtime.

WINONA ANGLE: Officials have declined to confirm whether a ransom was paid in January. Silence on payment is itself a data point that downstream attackers interpret — it may be read as "payment occurred but is embarrassing to disclose."

06 Is the cost-to-breach lower than the expected ransom payout? +

This is the core economic calculation. Lower breach cost (reused access, known environment, partial defenses) combined with elevated payout probability (service-restoration pressure, prior disclosure history) produces an expected-value calculation that favors repeat targeting over prospecting for new victims.

WINONA ANGLE: Every preceding node lowered the effective breach cost or raised the expected payout. The math, viewed from the attacker's side, is unambiguous.

The Key Insight

Repeat attacks are not mysterious. They are the predictable output of a rational economic model applied to an observable target state. Every defender's choice — to disclose, to pay, to phase in controls, to coordinate publicly — is also an input into the attacker's next decision.

What the National Guard Deployment Means

Governor Tim Walz authorized the deployment of 15 IT specialists from the Minnesota National Guard's 177th Cyber Protection Team to assist Winona County. This is not a unit of soldiers with rifles standing outside a server room. It is a team of cybersecurity professionals who hold civilian jobs in IT and security across the Twin Cities metro area and serve as military reservists trained in network defense, threat hunting, and incident response. The unit has no junior enlisted slots — it is built entirely from branch transfers and personnel who already bring years of civilian information-security experience. Ideal candidates, according to the unit's leadership, are "life-long learners who also do this stuff as a hobby, in addition to a career."

Minnesota established its Cyber Protection Team in 2017 at Rosemount, making it one of the first states in the nation to do so. When it stood up, the 177th was one of 23 such units across the National Guard. Minnesota was, and remains, one of only a handful of states to have fully staffed a complete team rather than sharing one across state lines. The unit reached Fully Operational Capability (FOC) in July 2020 after passing an ARCYBER validation exercise at Fort Meade — a rare benchmark that thousands of hours of training precede. In October 2020, the 177th was federally mobilized under the 780th Military Intelligence Brigade (Cyber) in support of U.S. Cyber Command and the Cyber National Mission Force, returning to Minnesota in late 2021. In 2025, the team was activated for a major ransomware incident against the city of St. Paul, where it spent several weeks assisting with threat removal and network hardening.

The team's mission in Winona County involves three core tasks: hunting for residual threat actors inside the network, clearing any remaining adversary presence, and hardening the infrastructure against future intrusions. Lt. Col. Brian Morgan, the Minnesota National Guard's Director of Cyber Coordination (and former commander of the 177th when it achieved FOC), described the typical attacker playbook as focused on gaining access, deploying ransomware, and either extorting payment for decryption or threatening to release stolen data.

The deployment also involves coordination with the Minnesota Bureau of Criminal Apprehension, the FBI, Minnesota IT Services, the League of Minnesota Cities, and an external cybersecurity vendor. The sheer number of agencies involved illustrates an uncomfortable truth: a single county's IT staff cannot handle a sophisticated ransomware incident alone, and the second time around, the county's own resources were simply overmatched.

"The scale and complexity of this incident has exceeded both internal and commercial response capabilities." — Governor Walz's executive order authorizing the National Guard deployment

Interactive · The Economic Map Click Nodes

The Ransomware Ecosystem Web

A single county's network does not face a single attacker. It faces a distributed economy. Click any node to see its role and how it connects to the rest. The arrows show the flow of access, malware, payment, and data.

Victim Organization · Winona County

The endpoint of the ecosystem and, critically, the data source that fuels it. When a county is compromised, every upstream participant profits: the access broker by resale, the RaaS developer by license fees, the affiliate by ransom percentage, the laundering infrastructure by transaction volume. Click any other node to trace its role.

The Recovery-Resilience Gap

This is the concept that the Winona County case makes viscerally clear: recovering from a ransomware attack and becoming resilient against the next one are two different things, and there is a dangerous gap between them.

Recovery means restoring data, bringing systems back online, and returning to operational capacity. It is measured in uptime and service availability. The January attack was "largely resolved" by late February, meaning the county's systems were functional again within about four weeks. That is a reasonable recovery timeline for a county-level government.

Resilience means fundamentally improving the security architecture so that a similar intrusion either cannot succeed or can be contained before it causes meaningful disruption. That work — network segmentation, endpoint detection and response deployment, privilege access management, authentication hardening, backup architecture validation, and staff security training — takes months, requires budget, and often requires vendors and expertise that are not immediately available.

Holte acknowledged this gap directly when she noted that the county was in the process of implementing critical network improvements when the second attack occurred. The improvements were not vaporware or empty promises. They were real projects underway. In fact, Holte credited those in-progress upgrades with helping the county detect the second incident faster. But detection speed and prevention are different capabilities, and the attackers exploited the window before the hardening was complete.

This gap is not unique to Winona County. It is structural. Local governments typically operate with small IT teams, limited budgets, and procurement timelines that do not align with threat actor timelines. A county that needs to hire a managed security service provider, procure endpoint detection tools, and redesign network segmentation is looking at a process measured in quarters, not weeks. Attackers operate in days. Mandiant analysts have given the current pattern a name: "recovery denial." In 2025 investigations, ransomware operators actively targeted backup infrastructure, identity services, and virtualization management planes specifically to remove the victim's ability to rebuild without paying. Separately, NAIC's 2025 market research found attackers specifically targeted backups before triggering encryption in 72 percent of ransomware incidents — which is why cyber insurance carriers increasingly require immutable, isolated backup systems as a condition of coverage, not a best practice.

Interactive · The Dangerous Window Toggle Views

The Gap Between "Recovered" and "Hardened"

Recovery tracks operational uptime. Hardening tracks security posture. They run on different clocks — and the gap between them is when repeat attackers strike. Toggle the layers to see how Winona County's timeline maps onto this structural problem.

Jan 22

Feb 20

Apr 7

Recovery · ~4 weeks

Hardening in progress · 9+ weeks

Exposure window · the gap

2nd Attack

Recovery Hardening Exposure Gap

What the visualization shows: Recovery completed around February 20. Hardening started while recovery was still underway, but the full program was expected to take months. The red band is the window in which systems were operationally "back" but structurally unchanged — the window in which a second operator walked in on April 7. Resilience is not a single date on this chart. It is the moment the dashed line catches up to and exceeds where defenses were before the first breach.

The Bigger Picture: Local Government Under Siege

Winona County exists within a broader pattern that has been accelerating for years. Minnesota IT Services reported close to 70 ransomware attacks across the state in a twelve-month period spanning 2024-2025, with more than half targeting local governments and schools. Mower County, Minnesota and Iowa County, Wisconsin both suffered ransomware attacks in 2025. The city of St. Paul experienced a major incident on July 25, 2025 that required National Guard intervention; the Interlock ransomware group (a RaaS operation that emerged in September 2024 with probable links to the Rhysida group) exfiltrated 43 gigabytes from St. Paul's estimated 153 terabytes and posted the data on its leak site after the city refused to pay. St. Paul's recovery required a manual password reset of over 3,000 employees at Roy Wilkins Auditorium, took roughly 90 days of emergency-order operations, and was still approximately 75% complete two months after the initial containment.

Nationally, the numbers are stark. Comparitech tracked 7,419 ransomware attacks worldwide in 2025, with government entities experiencing 374 total recorded incidents — a 27 percent increase over the prior year, with 196 of those confirmed by the affected organizations themselves. The first half of 2025 alone saw a 65 percent year-over-year increase in ransomware incidents affecting government bodies, according to Comparitech's H1 2025 Government Ransomware Roundup. And those are only the reported figures. BlackFog's 2025 State of Ransomware Annual Report estimated that 86 percent of ransomware incidents are never publicly disclosed — a figure it derived by comparing publicly disclosed incidents against the much larger universe of victims named on dark web leak sites.

The reasons local governments are disproportionately targeted are well documented: they hold large volumes of sensitive personal data (Social Security numbers, financial records, health information, property records), they operate on constrained IT budgets, they rely on legacy systems, and they face political pressure to restore services quickly — which can translate into a higher likelihood of ransom payment. The financial motivation is straightforward. A county government that holds birth certificates, death records, and property titles for its entire population is sitting on data that creates extraordinary pressure to pay when it is encrypted or stolen.

The defender picture has also quietly worsened in the months before the Winona attacks. On October 1, 2025, the Multi-State Information Sharing and Analysis Center (MS-ISAC) — the primary threat-intelligence and incident-response resource for state, local, tribal, and territorial governments — transitioned from federal CISA funding to a fee-based membership model. By April 2026, at least 13 states had signed statewide agreements. Federal State and Local Cybersecurity Grant Program (SLCGP) dollars cannot be used to pay MS-ISAC fees. For a county with fewer than five dedicated cybersecurity staff — the condition that applies to more than 80 percent of U.S. local governments — losing the MS-ISAC incident-response and indicator-feed lifeline precisely as the adversary economy accelerates is not a footnote. It is structural exposure.

Interactive · The Math of Repeat Targeting Adjust & Observe

Repeat Target Probability Calculator

This is not a forecast tool. It is a teaching instrument. Adjust the inputs based on a hypothetical local government's profile and watch how the probability of a second attack shifts. The base rate is anchored to Cybereason's 2024 finding that 78 percent of organizations that paid a ransom were hit again.

Did the organization pay a ransom?

Paid Did Not Pay Undisclosed

Was the incident publicly disclosed?

Publicly Disclosed Kept Quiet

Hardening completion at 90 days post-incident 40%

0% · nothing fixed 100% · fully hardened

Target profile

County Gov Enterprise School Dist. Hospital

74%

estimated probability of repeat attack within 12 months

A county government that paid, disclosed, and has made moderate hardening progress is squarely in the repeat-target profile. The known payment history validates the target to the criminal economy, disclosure functions as a signal to downstream operators, and incomplete hardening means many of the original exploitable conditions persist.

What Winona County Reveals About the Road Ahead

Winona County Emergency Management Director Ben Klinger made a statement during the April 11 press conference that is worth sitting with: the county's emergency management plans worked. When the attack was detected, systems were taken offline to contain the threat. Emergency services continued without interruption. Staff pivoted to manual processes. State and federal partners were mobilized. The playbook was executed. And yet, here they were, managing a second crisis in under three months.

This is what makes the Winona County case so instructive. It is not a story of negligence or indifference. It is a story of a small government that took its first attack seriously, invested in improvements, and was still overwhelmed by the structural reality of defending against an adversary ecosystem that moves faster, is better funded, and has no procurement cycle.

The lesson is not that Winona County failed. The lesson is that the model of incident response followed by incremental improvement is insufficient for organizations in the crosshairs of repeat targeting. The current approach treats each ransomware incident as an isolated event to be recovered from, rather than as evidence of an ongoing, adversarial relationship between the victim's network and the broader criminal ecosystem that now knows it exists.

For Winona County, the immediate path forward involves the National Guard completing its threat hunting and hardening mission, the FBI and BCA continuing their criminal investigation, and the county restoring DMV and vital statistics connectivity to the state. Longer term, the county will need sustained investment in security architecture that outlasts the news cycle and the emergency declaration.

For every other county, school district, and municipal government watching this unfold, the Winona County timeline offers a compressed illustration of a truth that the cybersecurity community has been repeating for years: the window between recovery and resilience is when you are most vulnerable, and the attackers know it.

Interactive · You Are the County Administrator Branching Decisions

What Would You Do?

Three decision points a real county administrator faced in the weeks between the two Winona attacks. There are no perfect answers. Each choice carries a tradeoff. Pick one, read the consequence, and move on to the next.

Decision 1 of 3 · Day 30 after first attack

Systems are largely restored. A forensics vendor has quoted $180,000 for a full threat-hunt sweep to confirm no residual attacker presence. Your board is asking when you will declare the incident resolved.

Context: your general fund has roughly $400K in unbudgeted reserve. Insurance is still evaluating coverage. The board chair wants a declaration of resolution to reassure constituents.

ADeclare resolved now; commission the sweep later if funds permit. BDelay declaration; pay for the sweep first even if it drains the reserve. CDeclare systems operational but not "resolved"; fund the sweep and publicly signal ongoing work.

← Back Next →

Decision 2 of 3 · Day 45

Your MSSP can deploy endpoint detection and response (EDR) to 60 percent of your endpoints within two weeks. The remaining 40 percent require firmware updates and hardware swaps that will take three to four months. How do you sequence this?

Context: the 60 percent is mostly front-office workstations. The remaining 40 percent includes domain controllers, file servers, and legacy systems — the crown jewels.

ADeploy to the 60% now for quick coverage, tackle the hard systems as resources allow. BWait until the 40% is ready so the deployment is coherent and no segment is "half-covered." CAccelerate the hardware work with emergency procurement; deploy everywhere simultaneously.

← Back Next →

Decision 3 of 3 · Day 60

A reporter asks whether a ransom was paid during the first incident. Legal counsel says you are not required to answer. Communications staff notes that declining to answer will likely be read as a "yes" by some audiences, including downstream attackers who monitor coverage.

Context: you genuinely paid a smaller ransom through insurance. Public confirmation could trigger political blowback; silence may signal weakness to other threat actors.

AConfirm payment, framing it as insurance-driven and limited in scope. BDecline to comment, citing ongoing law enforcement investigation. CState explicitly that you will not discuss ransom details, and commit to a post-incident public report.

← Back See Summary

End of Scenario

Notice that none of these decisions were simple. Every choice traded off a known cost (money, speed, political pressure) against a probabilistic future risk (repeat attack, coverage gap, signal exposure). This is the real work of local government cybersecurity — making defensible decisions under resource constraints, public scrutiny, and an adversary who faces none of those same constraints.

Restart Scenario

Signal · High-Density Specifics Filter by Category

The Facts That Change the Picture

Precise, sourced specifics that reshape how experienced practitioners should think about this incident and the broader repeat-targeting problem. Filter by category to find what is genuinely new to you. Every claim here is drawn from the record — not hedged estimates or sector generalities.

All20 Winona & Minnesota Attacker Speed Economics Tooling & TTPs Defender Reality

22 seconds Attacker Speed

The median time between an initial access event and hand-off to a secondary threat group in 2025. In 2022, that hand-off took more than 8 hours. The alert that looks low-priority can become a full compromise before the first triage pass completes.

Source: Mandiant M-Trends 2026, 500,000+ IR engagement hours

30% Attacker Speed

Share of 2025 ransomware incidents where the initial infection vector was "prior compromise" — access inherited from an earlier, separate intrusion. Nearly doubled from the prior year. This is the empirical backbone of the repeat-target pattern.

Source: Mandiant M-Trends 2026

LandShark, OnBase, LandLink Winona

The three real estate databases confirmed offline during both Winona County attacks. All three are supplied by TriMin Government Solutions of Mendota Heights, Minnesota — not Tyler Technologies, the more commonly assumed recorder-software vendor. Winona County Recorder Bob Bambenek confirmed the outage.

Source: Winona Post reporting, April 2026; Winona County Recorder Office

MN Stat. 12.29 subd. 1 Winona

The specific Minnesota statute under which County Board Chair Commissioner Chris Meyer signed the local emergency declaration. Only the board chair has this authority at the county level in Minnesota — a single-point procedural detail that many counties have not operationalized in their cyber playbooks.

Source: Winona County Press Release, January 23, 2026

April 6, not April 7 Winona

Governor Walz's emergency order specifies the second attack was detected on April 6 and continued into April 7. Most reporting cites "April 7" because that is the date on the county's public statement. The one-day gap matters for incident timeline reconstruction and is a reminder to always check executive orders, not press releases, for first-detection dates.

Source: Minnesota Governor's Executive Order; Winona County statement of April 7, 2026

#87 of 91 Winona

Winona County's January ransomware attack was item 87 in BlackFog's ranking of 91 publicly disclosed January 2026 ransomware incidents. 49% of those incidents had not yet been claimed by any known ransomware group. The attack was not publicly attributed to a specific affiliate or RaaS brand at the time of disclosure. Separately, BlackFog's full-year 2025 annual report found that 86 percent of all ransomware incidents globally are never publicly disclosed — derived by comparing publicly disclosed incidents against the much larger universe of victims named on dark web leak sites.

Source: BlackFog, The State of Ransomware, January 2026; BlackFog 2025 Annual Report, February 2026

72% Economics

Share of 2025 ransomware incidents in which attackers specifically targeted backup infrastructure before triggering encryption. Cyber insurers now routinely require immutable, isolated backups as a coverage condition. "Recovery denial" is the named 2025 tactic for this pattern.

Source: NAIC Cybersecurity Insurance Market Report, 2025; Mandiant M-Trends 2026

63% pay more Economics

Of organizations struck a second time after paying a ransom, 63% were charged a higher amount on the repeat attempt than the original demand. Payment history functions as price discovery for the ecosystem. This is separate from the often-cited 78% repeat-attack rate.

Source: Cybereason, Ransomware: The True Cost to Business 2024

70–80% Economics

Typical revenue share paid to an affiliate operator by the RaaS platform operator. The affiliate, not the "brand," keeps the majority. This economic split means the "ransomware group" listed in a news headline is rarely the same party that ran the actual intrusion — the affiliate is.

Source: Halcyon threat intelligence; FBI/CISA joint advisories

CVE-2025-31324 Tooling

Improper authorization in SAP NetWeaver's Visual Composer. Multiple threat clusters exploited this as a zero-day before SAP patched it in April 2025. Post-exploitation focused on web shell installation. It was Mandiant's most-observed exploited vulnerability of 2025 — a critical-severity, internet-facing app server flaw that collected victims before disclosure.

Source: Mandiant M-Trends 2026; SAP Security Notes, April 2025

REDBIKE / Qilin Tooling

REDBIKE (publicly known as Akira) was the most frequently observed ransomware variant in 2025 Mandiant investigations. AGENDA (publicly Qilin) followed second and became the single most prolific brand by data leak site volume that year. Naming conventions matter: Mandiant cluster names, CISA advisory names, and leak-site brand names are three different vocabularies for often the same activity.

Source: Mandiant M-Trends 2026; CISA StopRansomware Akira advisory, November 2025

ClickFix / ClearFake Tooling

Social-engineering technique used by Interlock in the St. Paul attack. Victims are tricked into pasting a malicious command into their own Run dialog or PowerShell under the pretext of fixing a fake error or CAPTCHA. No attachment, no click-through exploit — the victim executes the payload themselves. Paired with SystemBC RAT for credential theft in that incident.

Source: CISA / FBI Interlock advisory, July 2025; city of St. Paul disclosures

5 hours Tooling

In 10% of Secureworks Counter Threat Unit ransomware cases, attackers deployed encryption within five hours of initial access. Median dwell before detonation has been measured as low as 4 days (Sophos 2025) down to 24 hours in other telemetry. The industry's headline median and the worst-decile outcome are two different operational realities.

Source: Secureworks CTU State of the Threat report

780th MI BDE (Cyber) Winona

The parent unit under which the 177th Cyber Protection Team was federally mobilized to Fort Meade in October 2020. The 177th earned Fully Operational Capability status in July 2020 via an ARCYBER validation exercise — a benchmark most state-level cyber units have not achieved. Minnesota's team has no junior enlisted slots; every member comes from a branch transfer with existing civilian IT experience.

Source: Minnesota National Guard press releases 2020–2021

October 1, 2025 Defender

Date MS-ISAC transitioned from federally funded to fee-based membership after CISA funding ended September 30, 2025. Only 11 states had signed statewide memberships by early 2026. SLCGP federal grant dollars cannot be used to pay MS-ISAC fees, so many counties lost real-time threat feeds and CIRT incident response support precisely when repeat targeting is rising.

Source: StateTech Magazine, February 2026; StateScoop, August 2025

<5 people Defender

More than 80% of U.S. state, local, tribal, and territorial governments have fewer than five dedicated cybersecurity employees. A county with five defenders is facing an adversary ecosystem with hundreds of affiliates and a 24-hour operational tempo. This asymmetry is the structural reason one county can take its first attack seriously and still be overwhelmed by the second.

Source: ProWriters municipal cyber report, 2025

$2.83M Defender

Average 2024 recovery cost for state and local government ransomware incidents (Sophos) — more than double the $1.21M 2023 average. On average, ransomware attacks in 2024 affected 56% of computers in state/local orgs vs. a cross-sector 49% — local governments lose more of their fleet per incident than most sectors.

Source: Sophos State of Ransomware 2024; ProWriters 2025

Interlock ↔ Rhysida Tooling

Interlock, which hit St. Paul in July 2025, is suspected by U.S. law enforcement of shared tooling or infrastructure overlap with Rhysida — another government-targeting RaaS group. CISA and FBI issued a joint Interlock advisory three days before the St. Paul intrusion was disclosed. Indicator-sharing speed outran advisory-reading speed.

Source: FBI/CISA Interlock advisory, July 22, 2025; The Record

43 GB / 153 TB Winona

Volume of data exfiltrated (43 GB) from the city of St. Paul compared to the city's total stored data (153 TB). The stolen fraction was approximately 0.028%. Extortion leverage scales with sensitivity, not volume. Mayor Carter described the leaked files as "not core city systems like payroll, permitting or licensing" — a reminder that a tiny slice can still produce full-incident optics.

Source: City of Saint Paul Digital Security Incident Hub; Mayor Carter press conference, August 11, 2025

122 days Tooling

Median dwell time for North Korean IT-worker insider operations in 2025 — over four months of undetected access, with some cases exceeding one year. This is roughly 11x the median dwell for a typical ransomware case. Any county running a remote hiring program should assume this vector exists in the wild alongside conventional ransomware threats.

Source: Mandiant M-Trends 2026

Knowledge Check · Active Recall 5 Questions

Test Your Understanding

Retrieval practice is one of the most robust memory effects in cognitive science. Answering from memory, even imperfectly, binds information far better than re-reading. Give these a shot before scrolling to the key terms.

Question 01

Which concept best describes the dangerous period between restoring systems after a ransomware attack and completing the security improvements needed to prevent a recurrence?

AExtortionality BRecovery-resilience gap CIncident dwell time DLateral movement window

The recovery-resilience gap is the specific term for the window in which systems are operationally restored but structural hardening is incomplete. Winona County was inside that window when the second attack landed. "Extortionality" describes the externality of paying ransoms; dwell time and lateral movement are related but distinct adversary metrics.

Question 02

According to Cybereason's 2024 research cited in the article, what percentage of organizations that paid a ransom were subsequently targeted in a second attack?

AAbout 36 percent BAbout 63 percent CAbout 78 percent DAbout 92 percent

78 percent. Of those repeat victims, 36 percent were struck by the same threat actor and 42 percent by a different one. In 63 percent of repeat cases the second ransom demand was higher than the first — a pattern consistent with how the ecosystem treats payers as validated targets.

Question 03

Why does the article describe a publicly disclosed ransomware incident as an "unintentional signal" to the broader threat ecosystem?

ADisclosure legally obligates other attackers to stay away from the organization. BIt tells other operators the target's defenses were breached and its security posture is in transition. CLaw enforcement uses public disclosures to triangulate the attackers. DInsurance carriers raise premiums only after public disclosure.

Disclosure broadcasts an organization's temporary weakness. Staff are consumed with recovery, the security posture is in flux, and the target has already been validated as reachable. For opportunistic attackers scanning for victims, a recently breached organization is a high-probability target.

Question 04

What role do initial access brokers play in enabling repeat attacks against the same organization?

AThey sell network footholds to multiple buyer groups, so one compromise can yield multiple attacks. BThey mediate ransom negotiations between attackers and victims. CThey operate leak sites that extort non-paying victims. DThey provide forensic response services to compromised organizations.

Initial access brokers are the upstream suppliers of the ransomware economy. A single network foothold can be resold to multiple buyer groups, which means a "different" attacker on the second go-round may be operating from intelligence gathered during the first.

Question 05

Which of the following best captures the central argument the article makes about Winona County?

AThe county was negligent in its initial response and this caused the second attack. BOnly larger cities can defend against modern ransomware and small counties should outsource IT entirely. CThe National Guard deployment was unnecessary and politically motivated. DThe incident-response-then-incremental-improvement model is structurally insufficient against a continuous adversary ecosystem.

The article's central claim is structural, not personal. Winona County took the first attack seriously and was still overwhelmed because the defender's timeline (quarters) does not match the attacker's timeline (days). The lesson is about the model, not the county.

0 / 5

answered correctly