Winona County, Minnesota confirmed on Wednesday that it was hit by a ransomware attack on Tuesday, April 8, forcing officials to take affected systems offline, declare a local state of emergency, and request cybersecurity assistance from the Minnesota National Guard. This marks the second ransomware incident to strike the county in less than three months, following a separate attack in January 2026. Preliminary investigation indicates a different threat actor is responsible for this latest intrusion.

What Happened

On Tuesday, Winona County detected ransomware activity across its network infrastructure. County Administrator Maureen Holte confirmed that officials immediately began investigating and engaged external cybersecurity consultants. Affected systems were pulled offline to contain the spread. The county notified the FBI and Minnesota state cyber resources.

Governor Tim Walz issued an executive order the same day, authorizing the Minnesota National Guard to deploy a specialized cybersecurity and recovery team to assist with incident response and restoration. The county simultaneously declared a local state of emergency, the second such declaration tied to a cyber incident in 2026.

County officials confirmed that 911, fire, and emergency services remained fully operational throughout the event, though the public was warned to expect delays from other county services while systems are secured and restored.

What Was Taken

As of this writing, the county has not disclosed the specific ransomware variant deployed, the scope of data potentially exfiltrated, or whether a ransom demand was received. Given that this is a county government, systems at risk likely include resident records, tax and property data, court filings, law enforcement databases, public health records, and internal administrative systems. Whether the attackers accessed or exfiltrated sensitive data prior to encryption remains under investigation.

Why It Matters

Two successful ransomware attacks against the same local government entity within a 90-day window is a significant signal for defenders. Several things stand out:

Repeat targeting is accelerating. The fact that a different threat actor is believed responsible for the April attack suggests Winona County may have been identified as a soft target within ransomware ecosystems. Initial access brokers frequently resell footholds or share intelligence about vulnerable organizations, and a publicly reported January incident effectively advertised the county's exposure.

Local governments remain critically under-resourced. The need for National Guard cyber teams underscores the gap between the threat landscape and the defensive capabilities available to county-level government. Most counties lack dedicated security operations centers, 24/7 monitoring, or incident response retainers.

Recovery from the first incident may have been incomplete. While officials stated different actors are responsible, the short interval raises questions about whether root cause remediation from the January attack was fully completed before the second intrusion occurred.

The Attack Technique

No technical details on the initial access vector or ransomware strain have been disclosed. However, the pattern of a second compromise shortly after a prior incident is consistent with several common scenarios:

• Residual access: The January attackers or an initial access broker may have maintained a persistent foothold that was not fully eradicated, which was later sold or exploited by a separate group.
• Exploitation of recovery infrastructure: Systems rebuilt hastily after the January incident may have been stood up without hardened configurations, missing patches, or with reused credentials.
• Opportunistic targeting: Public reporting of the January attack may have drawn attention from other ransomware operators who probed the county's perimeter during the recovery window.

Without further disclosure, defenders should consider all three scenarios plausible.

What Organizations Should Do

Organizations, particularly local governments recovering from a prior incident, should treat this case as a direct warning:

1. Conduct a full post-incident compromise assessment. After any ransomware event, assume the environment is not clean until proven otherwise. Engage a separate team to validate that eradication was complete before reconnecting systems.
2. Reset all credentials, including service accounts. Reused or unreset credentials are the most common reason attackers regain access after an initial incident. This includes Active Directory, VPN, remote access, and cloud service accounts.
3. Rebuild, do not restore from potentially compromised backups. If backup integrity cannot be independently verified, rebuild systems from known-good images with current patches applied before they touch the production network.
4. Implement network segmentation and monitoring before full restoration. Deploy EDR and network detection tools on rebuilt systems immediately. Segment critical services so that a future compromise in one area cannot propagate laterally.
5. Engage state and federal resources proactively. CISA, MS-ISAC, and state National Guard cyber units offer pre-incident assessments and planning. Do not wait for the next emergency declaration to establish these relationships.
6. Assume you are being watched after a public incident. Threat actors monitor breach disclosures. Harden your external attack surface immediately following any public reporting of a compromise.

Sources: Winona County responds to second ransomware attack in 2026 with National Guard assistance