Winona County, Minnesota officials confirmed on April 29, 2026 that cybercriminals behind an April ransomware attack have published data stolen from the county's network after the county declined to meet extortion demands. The incident is the second ransomware attack against the county this year and prompted a local state of emergency, with response support provided by the Minnesota National Guard.

What Happened

The attack was detected on April 7, 2026, prompting the county to take portions of its network offline to contain the threat. County operations returned to near-normal status on April 24, but on April 29 the county learned that the threat actors had released stolen data publicly, almost certainly via a leak site after the ransom was not paid. Officials stated they will conduct "a comprehensive review of this information with the assistance of law enforcement and our third-party cyber security partners to determine what and whose information is potentially involved."

This marks the second ransomware incident the county has disclosed in 2026. The first was disclosed in January, and a preliminary investigation indicated the two intrusions were perpetrated by different threat actors. A local state of emergency was declared in response to both attacks.

What Was Taken

The county has not yet published a definitive inventory of the leaked data, citing an ongoing review. Based on the systems known to be impacted during the outage, the exposed data set is likely to include records from:

• Vital statistics systems (birth, death, and marriage records)
• Department of Motor Vehicles (DMV) operations, which typically contain driver's license numbers, addresses, and identity documents
• General county administrative and resident-facing services

Notably, emergency services were not interrupted during the incident, suggesting CAD/911 systems were either segmented or not impacted. Affected individuals will be notified by the county once the review is complete, and identity protection resources will be provided.

Why It Matters

Winona County's experience illustrates several converging trends defenders must take seriously. First, the county was hit twice in a single year by separate threat actors, a pattern increasingly observed in small-to-mid-sized U.S. local government targets that are perceived as soft and underfunded. Second, the county's refusal to pay, while operationally and ethically defensible, resulted in the predictable retaliation of public data exposure, a reminder that double extortion remains the dominant ransomware monetization model in 2026.

For defenders in the public sector, the case underscores that DMV and vital records systems remain prime targets because the data they hold (SSNs, ID numbers, dates of birth, addresses) has long-tail value for identity fraud and downstream social engineering. Once leaked, this data cannot be recalled.

The Attack Technique

The county and its partners have not publicly attributed the April attack to a specific ransomware group, nor have they disclosed the initial access vector. No technique, tactic, or procedure (TTP) details have been released as of publication. However, the operational pattern, network intrusion, data exfiltration, encryption or extortion, refusal to pay, and subsequent leak site publication, is consistent with the playbook used by virtually every active double-extortion ransomware affiliate program. Common initial access vectors against county-level government targets in recent campaigns include exposed remote access services, unpatched edge appliances (VPN concentrators, firewalls), and credential compromise through phishing or infostealer logs.

What Organizations Should Do

Public sector IT leaders, particularly at the county and municipal level, should treat this incident as a prompt to validate the following controls:

1. Audit external attack surface. Inventory and harden internet-facing services, including VPN, RDP, Citrix, and file transfer appliances. Apply vendor patches on a same-week cadence for known exploited vulnerabilities.
2. Segment legacy and high-value systems. DMV, vital records, court, and finance systems should be isolated from general user networks so that a single compromised endpoint cannot reach them laterally.
3. Deploy and monitor EDR everywhere. Coverage gaps on servers and legacy hosts are repeatedly cited as the reason ransomware affiliates dwell undetected for days or weeks.
4. Test offline, immutable backups. Restoration drills, not backup existence, are what determine recovery time when paying is off the table.
5. Plan for the leak, not just the lock. Build an incident response playbook that assumes data will be published, including pre-drafted notification templates, legal counsel engagement, and identity protection vendor contracts.
6. Engage state and federal partners early. Winona County's use of the Minnesota National Guard and external cyber partners is a model worth replicating; CISA, MS-ISAC, and state fusion centers offer free resources most local governments underutilize.

Sources: Cyber Criminals Leak Data From Minnesota Ransomware Incident