[{"data":1,"prerenderedAt":159},["ShallowReactive",2],{"article-slug-winona-county-minnesota-hit-by-second-cyberattack-in-2026":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":31,"sources":32,"events":54,"mitre_techniques":64,"mitre_mitigations":84,"d3fend_countermeasures":115,"iocs":124,"cyber_observables":125,"tags":142,"extract_datetime":149,"article_type":150,"impact_scope":151,"pub_date":36,"reading_time_minutes":158,"createdAt":149,"updatedAt":149},"5eb8acce-35a4-493e-a698-6000c361400f","winona-county-minnesota-hit-by-second-cyberattack-in-2026","Minnesota's Winona County Suffers Second Crippling Ransomware Attack This Year","Winona County, Minnesota Declares State of Emergency After Second Ransomware Attack in 2026","Winona County, Minnesota, is grappling with its second major cyberattack of 2026 after detecting a ransomware incident on April 7. The attack has severely disrupted government functions, taking many critical systems and digital services offline. Due to the incident's complexity, Minnesota's governor deployed the National Guard's cyber protection team to assist with response and recovery. While 911 services remain operational, other functions like the DMV are unavailable. This is the second time the county has been targeted this year, with a preliminary investigation suggesting a different threat actor is responsible for the latest attack.","## Executive Summary\nWinona County, Minnesota, has declared a local state of emergency following a **debilitating ransomware attack** detected on April 7, 2026. This marks the second time the county has been significantly impacted by a cyberattack in 2026, highlighting the persistent threat facing local governments. The attack has forced the county to take numerous systems offline, disrupting public services and forcing a reliance on manual processes. The severity of the incident prompted Minnesota Governor Tim Walz to authorize the deployment of the **Minnesota National Guard's** cybersecurity team to support containment and restoration efforts. The **[FBI](https://www.fbi.gov/)** is also involved in the ongoing criminal investigation. This event underscores a troubling trend of cybercriminals repeatedly targeting local government entities, which are often under-resourced yet responsible for critical public services.\n\n## Threat Overview\nThe incident has been identified as a ransomware attack. Upon detection, county officials enacted their incident response plan, which involved taking affected systems offline to prevent the malware from spreading further across the network. This containment measure, while necessary, has led to a significant disruption of government operations. Many services that require connectivity to state networks, such as the Department of Motor Vehicles (DMV) and Vital Statistics, are completely unavailable. Other functions are being handled with pen and paper, causing significant delays. Emergency 911 services have reportedly remained operational. A preliminary investigation indicates that this attack was carried out by a different cybercriminal group than the one responsible for the January 2026 incident, suggesting the county is being targeted by multiple, independent threat actors.\n\n## Technical Analysis\nSpecific details about the ransomware variant or the initial access vector have not been released due to the active investigation. However, the attack likely followed a common ransomware lifecycle.\n\n1.  **Initial Access**: Common vectors for local governments include successful phishing campaigns ([`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/)), exploitation of vulnerabilities in public-facing services like VPN or RDP ([`T1133 - External Remote Services`](https://attack.mitre.org/techniques/T1133/)), or the use of stolen credentials.\n2.  **Persistence and Discovery**: After gaining a foothold, the attackers would have established persistence and begun exploring the network to identify high-value targets like domain controllers, file servers, and backup systems.\n3.  **Credential Access**: The actors would have used tools to escalate privileges and harvest credentials ([`T1003 - OS Credential Dumping`](https://attack.mitre.org/techniques/T1003/)) to facilitate lateral movement.\n4.  **Impact**: The final stage involved deploying ransomware across the network to encrypt files ([`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/)) and potentially exfiltrating sensitive data to be used in a double-extortion scheme.\n\n### MITRE ATT&CK Mapping\n*   **[`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/)**: The primary action causing the disruption of county services.\n*   **[`T1489 - Service Stop`](https://attack.mitre.org/techniques/T1489/)**: Critical government services were stopped as a direct result of the attack and containment efforts.\n*   **[`T1490 - Inhibit System Recovery`](https://attack.mitre.org/techniques/T1490/)**: It is highly likely the attackers attempted to delete or encrypt backups to hinder restoration.\n*   **[`T1133 - External Remote Services`](https://attack.mitre.org/techniques/T1133/)**: A frequent initial access vector for ransomware attacks against government entities.\n\n## Impact Assessment\nThe cyberattack has had a severe impact on the residents and operations of Winona County.\n*   **Disruption of Public Services**: Key services, including the DMV and Vital Statistics, are completely offline. This prevents citizens from conducting essential business like renewing licenses or obtaining official records.\n*   **Operational Setback**: County employees have been forced to revert to inefficient and error-prone manual processes, significantly slowing down government functions.\n*   **Economic Cost**: The cost of recovery will be substantial, including expenses for cybersecurity experts, the National Guard deployment, potential system replacements, and overtime for staff.\n*   **Erosion of Public Trust**: Being successfully attacked twice in one year can damage public confidence in the county's ability to protect its data and maintain essential services.\n*   **State-Level Response**: The incident was severe enough to require the intervention of the state governor and the deployment of a specialized National Guard unit, indicating a major crisis for the county.\n\n## Cyber Observables for Detection\nGeneral observables for detecting ransomware pre-cursors and activity include:\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| command_line_pattern | `powershell.exe -enc` | Attackers frequently use encoded PowerShell commands to download tools or execute malicious code. | Process monitoring with command-line logging. | high |\n| process_name | `PsExec.exe` | Use of remote administration tools like PsExec for lateral movement across the network. | EDR, Process monitoring logs. | high |\n| event_id | `4720` | Creation of a new user account, especially with administrative privileges, can be a sign of persistence. | Windows Security Event Log on Domain Controllers. | medium |\n| log_source | `VPN Logs` | A high number of failed login attempts followed by a successful one from an unusual location can indicate a brute-force or password-spraying attack. | VPN appliance logs, SIEM. | medium |\n\n## Detection & Response\n1.  **Endpoint and Network Monitoring**: Deploy EDR solutions to detect suspicious processes, command-line activity, and lateral movement. Monitor network traffic for unusual data flows or connections to known malicious IPs.\n2.  **Credential Monitoring**: Actively monitor for credential dumping activity (e.g., access to `lsass.exe`) and the creation of new, unauthorized administrative accounts.\n3.  **Log Analysis**: Centralize and analyze logs from critical systems, especially domain controllers and VPN concentrators, to detect early signs of compromise. This aligns with **[D3-DAM: Domain Account Monitoring](https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring)**.\n\n## Mitigation\nFor local governments, which are frequent targets, a defense-in-depth strategy is crucial.\n1.  **Patch Management**: Aggressively patch all internet-facing systems and software to close known vulnerability gaps. This is a fundamental aspect of **[D3-SU: Software Update](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate)**.\n2.  **Multi-Factor Authentication (MFA)**: Enforce MFA on all remote access services (VPN, RDP) and for all privileged accounts. This is one of the most effective controls against credential-based attacks, as described in **[D3-MFA: Multi-factor Authentication](https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication)**.\n3.  **Immutable Backups**: Follow the 3-2-1 backup rule: three copies of your data, on two different media, with one copy off-site and immutable (unable to be altered or deleted).\n4.  **Network Segmentation**: Segment the network to prevent attackers from moving freely from a compromised workstation to critical servers. Isolate critical services from the general user network.\n5.  **Security Awareness Training**: Since the first attack in January did not prevent a second, it's critical to re-evaluate and enhance security awareness training to help employees identify and report phishing and other social engineering attempts.","Minnesota's Winona County hit by its second major ransomware attack this year. The National Guard's cyber team has been deployed to help restore critical government services disrupted by the incident. #Ransomware #CyberAttack #LocalGov","Winona County, Minnesota, declares a state of emergency after a second ransomware attack in 2026 cripples government services, prompting the deployment of the Minnesota National Guard's cyber team.",[13,14,15],"Ransomware","Cyberattack","Incident Response","high",[18,21,23,26,29],{"name":19,"type":20},"Winona County Government","government_agency",{"name":22,"type":20},"Minnesota National Guard",{"name":24,"type":20,"url":25},"Federal Bureau of Investigation (FBI)","https://www.fbi.gov/",{"name":27,"type":28},"Tim Walz","person",{"name":30,"type":28},"Ben Klinger",[],[33,39,44,49],{"url":34,"title":35,"date":36,"friendly_name":37,"website":38},"https://www.cbsnews.com/minnesota/news/minnesota-national-guard-deployed-to-help-winona-county-after-cyberattack/","Minnesota National Guard deployed to help Winona County after cyberattack","2026-04-10","CBS News","cbsnews.com",{"url":40,"title":41,"date":36,"friendly_name":42,"website":43},"https://www.mprnews.org/story/2026/04/10/some-winona-county-services-remain-down-and-offline-following-cyberattack","Some Winona County services remain down and off-line following cyberattack","MPR News","mprnews.org",{"url":45,"title":46,"date":36,"friendly_name":47,"website":48},"https://www.fox9.com/news/winona-county-works-to-fully-restore-services-following-ransomware-attack","Winona County works to fully restore services following ransomware attack","FOX 9","fox9.com",{"url":50,"title":51,"date":36,"friendly_name":52,"website":53},"https://nationaltoday.com/blog/winona-county-battles-second-cyberattack-this-year/","Winona County Battles Second Cyberattack This Year","National Today","nationaltoday.com",[55,58,61],{"datetime":56,"summary":57},"2026-01-01T00:00:00Z","Winona County suffers its first cyberattack of 2026.",{"datetime":59,"summary":60},"2026-04-07","A second, separate ransomware attack is detected on Winona County's network.",{"datetime":62,"summary":63},"2026-04-09","Minnesota's governor authorizes the deployment of the National Guard to assist with the cyberattack response.",[65,69,73,77,80],{"id":66,"name":67,"tactic":68},"T1486","Data Encrypted for Impact","Impact",{"id":70,"name":71,"tactic":72},"T1133","External Remote Services","Initial Access",{"id":74,"name":75,"tactic":76},"T1078","Valid Accounts","Defense Evasion, Persistence, Privilege Escalation, Initial Access",{"id":78,"name":79,"tactic":68},"T1490","Inhibit System Recovery",{"id":81,"name":82,"tactic":83},"T1021.001","Remote Services: Remote Desktop Protocol","Lateral Movement",[85,93,97,106],{"id":86,"name":87,"d3fend_techniques":88,"description":92},"M1032","Multi-factor Authentication",[89],{"id":90,"name":87,"url":91},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Enforce MFA for all remote access, privileged accounts, and sensitive applications to prevent credential-based takeovers.",{"id":94,"name":95,"description":96},"M1053","Data Backup","Ensure critical data is backed up to an immutable, offline location to enable restoration without paying a ransom.",{"id":98,"name":99,"d3fend_techniques":100,"description":105},"M1030","Network Segmentation",[101],{"id":102,"name":103,"url":104},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Segment the network to contain intrusions and prevent ransomware from spreading from workstations to critical servers.",{"id":107,"name":108,"d3fend_techniques":109,"description":114},"M1051","Update Software",[110],{"id":111,"name":112,"url":113},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","Maintain a rigorous patch management program to close vulnerabilities in internet-facing systems before they can be exploited.",[116,118],{"technique_id":90,"technique_name":87,"url":91,"recommendation":117,"mitre_mitigation_id":86},"For a government entity like Winona County, which has been hit twice, the immediate and most critical defense is the universal enforcement of Multi-factor Authentication (MFA). This must be applied non-negotiably to all remote access points (VPN, RDP), all cloud services (e.g., Microsoft 365), and, most importantly, all privileged accounts (Domain Admins, local administrators). Since ransomware actors heavily rely on stolen or weak credentials for initial access and lateral movement, MFA acts as a powerful barrier. Even if an employee's password is phished or guessed, the attacker cannot proceed without the second factor. Given that this is the second attack, it's highly probable that a credential-based compromise was a factor in one or both incidents. Implementing phishing-resistant MFA, such as FIDO2 security keys, would provide the highest level of assurance and directly mitigate the most common ransomware intrusion vectors.",{"technique_id":119,"technique_name":120,"url":121,"recommendation":122,"mitre_mitigation_id":123},"D3-LAM","Local Account Monitoring","https://d3fend.mitre.org/technique/d3f:LocalAccountMonitoring","Implement robust Local Account Monitoring across all servers and workstations. After initial access, ransomware operators often create new local administrator accounts for persistence or use tools like Mimikatz to dump credentials from memory. Security teams in Winona County should use an EDR or SIEM to generate high-priority alerts for specific Windows Event IDs, including 4720 (A user account was created), 4732 (A member was added to a security-enabled local group, especially 'Administrators'), and 4738 (A user account was changed). Baselining normal administrative activity is key; any account creation or privilege escalation outside of a scheduled change window should be treated as a potential indicator of compromise and trigger an immediate investigation. This provides an opportunity to detect and evict an attacker during the lateral movement phase, before they can achieve widespread impact.","M1026",[],[126,131,137],{"type":127,"value":128,"description":129,"context":130,"confidence":16},"command_line_pattern","wmic.exe shadowcopy delete","Command used to delete Volume Shadow Copies to inhibit system recovery. Its execution outside of normal administrative tasks is highly suspicious.","Windows Event ID 4688, EDR logs.",{"type":132,"value":133,"description":134,"context":135,"confidence":136},"log_source","RDP Logs (Event ID 4624/4625)","Monitoring for brute-force RDP login attempts (many 4625s followed by a 4624) from external IP addresses can indicate an initial access attempt.","Windows Security Event Log on exposed servers.","medium",{"type":138,"value":139,"description":140,"context":141,"confidence":16},"file_name","mimikatz.exe","Presence or execution of known credential dumping tools like Mimikatz is a strong indicator of an active intrusion.","EDR, Antivirus logs, File integrity monitoring.",[143,144,145,146,147,148],"ransomware","local government","minnesota","winona county","national guard","incident response","2026-04-10T15:00:00.000Z","NewsArticle",{"geographic_scope":152,"countries_affected":153,"governments_affected":155,"industries_affected":156},"local",[154],"United States",[19],[157],"Government",4,1776260657975]