Winona County: Second Ransomware Attack in Three Months Forces National Guard Response

Winona County, Minnesota confirmed on Wednesday that it was hit by a ransomware attack on Tuesday, April 8, forcing officials to take affected systems offline and declare a local state of emergency. Governor Tim Walz authorized Minnesota National Guard cyber specialists to assist with response and recovery. This marks the second ransomware attack against the county in 2026, following a separate incident in January.

What Happened

On Tuesday, Winona County detected ransomware on its network and immediately began isolating affected systems. County Administrator Maureen Holte confirmed the incident in a release Wednesday, stating that cybersecurity consultants were engaged and the FBI and Minnesota cyber resources were notified. Governor Walz issued an executive order the same day, deploying a specialized National Guard cybersecurity and recovery team to the county. Officials declared a local state of emergency to unlock additional resources. Emergency services, including 911, fire, and EMS, remained fully operational throughout the incident, but county administrative services are expected to face delays during recovery.

What Was Taken

Winona County has not disclosed whether data was exfiltrated in this attack. Given that the county handles sensitive resident records, including property filings, court documents, tax information, law enforcement data, and social services records, the potential exposure surface is significant. No ransomware group has publicly claimed responsibility or posted stolen data as of this writing. The January 2026 attack also did not result in a public data leak claim, though the full scope of that incident was never publicly detailed.

Why It Matters

Two successful ransomware attacks against the same local government entity within three months is a stark indicator of systemic defensive gaps. Preliminary investigation suggests different threat actors are responsible for each incident, meaning Winona County is not being re-targeted by a single persistent adversary but is instead vulnerable enough to be independently compromised by multiple groups. This pattern raises critical questions: Were the vulnerabilities exploited in January fully remediated? Did the recovery from the first attack introduce new weaknesses? Local governments across the United States remain among the softest targets in the ransomware ecosystem due to constrained budgets, legacy infrastructure, and limited cybersecurity staffing. The need for National Guard intervention in a county-level cyber incident underscores just how outmatched many municipalities are against modern ransomware operations.

The Attack Technique

No technical details about the intrusion vector have been released. The fact that different threat actors are believed responsible for the January and April attacks suggests Winona County may have multiple exploitable entry points, whether unpatched public-facing services, compromised credentials, or inadequate network segmentation that allows lateral movement once initial access is achieved. The rapid recurrence also raises the possibility that the January recovery did not include a thorough root-cause analysis or that remediation was incomplete, leaving infrastructure exposed to opportunistic scanning by other groups. Without further disclosure, defenders should assume common local government attack surfaces: exposed Remote Desktop Protocol, vulnerable VPN appliances, and phishing against staff accounts with limited multi-factor authentication coverage.

What Organizations Should Do

Local governments and similarly resourced organizations should treat this incident as a warning and take the following steps:

Conduct post-incident validation audits. If your organization has recovered from a prior ransomware event, verify that all identified vulnerabilities were fully remediated and that recovery processes did not introduce new gaps.
Enforce multi-factor authentication everywhere. MFA on email, VPN, remote access, and administrative portals remains the single highest-impact control against credential-based intrusions.
Reduce external attack surface. Audit all internet-facing services. Disable RDP exposure, patch VPN appliances to current versions, and place administrative interfaces behind zero-trust or VPN-gated access.
Segment critical networks. Ensure that a compromise in one department cannot traverse freely to 911 dispatch, law enforcement, or court systems. The fact that Winona County's emergency services stayed online suggests some segmentation existed, which is a model other counties should replicate.
Establish relationships with state cyber resources before an incident. Minnesota's National Guard cyber teams are a valuable asset, but response is faster when coordination frameworks are already in place. Every state has comparable resources through CISA and state fusion centers.
Maintain tested offline backups. Ransomware recovery timelines shrink dramatically when organizations have verified, air-gapped backups that are regularly tested for restoration integrity.

Sources: Winona County responds to second ransomware attack in 2026 with National Guard assistance