Cyber Incident Victim: Winona County
Date:
Apr 2026
Location:
United States of America
Summary
Winona County experienced two ransomware attacks this year, with the second incident disrupting DMV and vital statistics systems while emergency services remained operational. In response, parts of the network were taken offline, the Minnesota National Guard and federal agencies assisted, and after a phased restoration the county resumed near‑normal operations before later disclosing that attackers had leaked data from the compromised network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In January 2026 Winona County disclosed that it had been the target of a ransomware incident that affected its computer network, prompting the county board chair to declare a local emergency. The incident was largely resolved by the end of February, after which officials reported that they were implementing critical improvements to the network’s IT protocols. On Tuesday April 7 2026 county officials discovered a second ransomware attack on the county’s computer network, and the same day they took affected systems offline to contain the threat. The following day the attack continued to impact municipal services, leading the county to request state assistance and Governor Tim Walz to authorize a cybersecurity and recovery team from the Minnesota National Guard to deploy to Winona County. A local state of emergency was declared for this second attack as well.
The ransomware attack impacted the county’s vital statistics and Department of Motor Vehicles systems, while emergency services, including 911, law enforcement, fire, EMS and dispatch, remained operational and were never interrupted. Officials reported that parts of the network were pulled offline in phases, creating a backlog of services that caused delays for residents needing to visit county offices. By April 24 the county announced that its offices had returned to close to normal operations after a phased restoration of systems that were verified and secure before being brought back online. On April 30 the county learned that data taken from its network during the attack had been leaked by the cyber criminals, and it announced the breach later that day, stating that it would review the information with law enforcement and third‑party security partners to determine what and whose data was involved. The county pledged to notify any affected individuals as quickly as possible and to provide resources to help protect personal information.
Throughout the response Winona County worked with multiple organizations, including the FBI, the Minnesota Bureau of Criminal Apprehension, Minnesota Information Technology Services, the League of Minnesota Cities and an external cybersecurity vendor, in addition to the Minnesota National Guard. Officials said the earlier attack’s IT protocol improvements had helped detect the second incident and facilitated the investigation, containment and recovery efforts. A preliminary investigation indicated that the two ransomware attacks were carried out by different cybercriminal groups. The county maintained that it would continue to cooperate with law enforcement and state partners until answers were obtained and systems were fully restored, and it asked residents for patience and understanding during the recovery process.