When Winona County Administrator Maureen Holte confirmed on April 8, 2026 that county officials had detected and responded to a ransomware attack the day prior, the statement carried an extraordinary caveat: this was not the first time. Winona County had already been struck by ransomware just months earlier, in January 2026. The same 50,000-person county on the banks of the Mississippi River in southeastern Minnesota was now the victim of a repeat attack β from a different criminal group.
That detail alone should command the attention of every county administrator, IT director, and elected official in the country. But the story goes further. Minnesota Governor Tim Walz authorized the deployment of the Minnesota National Guard to support the countyβs response, a move that illustrates how dramatically the calculus around municipal cyber incidents has shifted.
The Incident: Systems Offline, Emergency Declaration Issued
County officials confirmed the attack was detected on April 7, 2026. As a precautionary measure, Winona County took its computer systems offline β a move described as being made βout of an abundance of cautionβ while staff worked to secure and restore services. The county immediately launched an investigation, notified the FBI, engaged Minnesotaβs state cyber resources, and brought in third-party cybersecurity and data forensics consultants.
To access the full range of resources necessary for the response, the county declared a local state of emergency. This mechanism β commonly associated with natural disasters β has become an increasingly necessary tool in the county cyber incident playbook, allowing governments to cut through procurement rules, access mutual aid agreements, and mobilize personnel more quickly.
Critically, emergency services were not disrupted. The county confirmed that 911, fire, and emergency response resources continued to operate without interruption throughout the incident.
The governorβs office stated that the county requested National Guard support βdue to the scale and complexity of the incident.β Governor Walzβs public statement captured the broader stakes: βCyberattacks are an evolving threat that can strike anywhere, at any time. Swift coordination between state and local experts matters in these moments.β
The National Guard Deployment: A Significant Escalation
The use of the National Guard in a cybersecurity response is not unprecedented, but it remains uncommon enough to signal a meaningful shift in how state governments are treating county-level ransomware attacks. National Guard cyber units β most states now maintain them β bring military-grade incident response capabilities, trained analysts, and the authority to act quickly under emergency conditions.
The decision to deploy them to Winona County reflects a growing recognition that most county governments simply do not have the internal resources to handle a sophisticated ransomware attack. A county of 50,000 residents does not typically employ a CISO, a dedicated security operations center, or a full incident response team. When an attack occurs, the gap between what is needed and what is available can be enormous.
This deployment sets a precedent that other state governments should be watching. It signals that the state-county relationship in cybersecurity is evolving from passive guidance and occasional training to active, rapid-response intervention. That is a healthy development β and one that should accelerate.
Twice in One Year: What the Second Attack Reveals
The fact that Winona County suffered two ransomware attacks within the first quarter of 2026 is, by any measure, alarming. The county first announced a ransomware incident affecting its computer network on January 23, 2026. Recovery and remediation followed. Then, approximately ten weeks later, a second, unrelated criminal group struck the same network.
Based on preliminary investigation, the cybercriminal behind the January attack is not believed to be the same actor responsible for the April incident. This rules out the most straightforward explanation β that the first attacker returned β and raises a more troubling possibility: that Winona Countyβs network profile, vulnerabilities, or publicly known breach history made it an attractive target for multiple independent threat actors.
In ransomware criminal ecosystems, breach lists circulate. Initial access brokers sell footholds in compromised networks. A county that has already been breached once may, paradoxically, become more attractive to other threat groups β not less. The first breach can signal that the organization lacks mature defenses, that it may be willing to pay, or simply that its network credentials or access points have been enumerated and are available for purchase.
Holte offered a more constructive framing. Speaking about the security improvements the county undertook following the January incident, she said: βIn fact, those improvements helped us to detect this incident, investigate and take steps to recover.β That is a notable silver lining. The remediation work done after the first attack appears to have improved the countyβs detection capabilities enough to identify the second intrusion earlier than might otherwise have occurred.
This is not a vindication of the countyβs overall security posture β two attacks in a quarter is a crisis, not a success story. But it does validate the principle that post-incident improvements matter and that visibility into your own network is a meaningful defensive asset.
Why Local Governments Keep Getting Hit
Winona County is not an outlier. It is a representative example of a category of organization that has become one of the most systematically targeted in the ransomware ecosystem: the under-resourced county or municipal government.
The structural vulnerabilities are well-documented. County IT departments typically operate under severe budget constraints, often managing sprawling legacy infrastructure with small teams. Turnover is high relative to the private sector. Security tooling that is routine in enterprise environments β endpoint detection and response, 24/7 monitoring, multi-factor authentication enforced across all systems β is frequently absent or inconsistently deployed. Procurement cycles are slow, governed by public bidding requirements that bear no relationship to the speed of the threat environment.
Winona County fits this profile. So does Pittsburg, Kansas, which we examined in depth as a case study in how ransomware exploits the specific vulnerabilities of small municipal governments. So does Suffolk County, New York, whose 2022 ransomware attack exposed years of systemic security failures across a much larger county government. The pattern repeats because the underlying conditions that create it are structural, not incidental.
Minnesota has seen this pattern within its own borders. The City of St. Paul and Rochester Public Schools have both experienced cyberattacks in recent years. When county governments see neighboring jurisdictions attacked without significant consequences for the attackers, the message received by threat actors is that this sector is accessible and relatively safe to exploit.
Nationally, the municipal ransomware crisis shows no sign of abating. Attleboro, Massachusetts was hit in late 2025. Inman, South Carolina waited seven months before disclosing a June 2024 attack β a disclosure failure that compounds the original harm. Middletown took five months to restore water billing systems after a ransomware attack. Each incident is distinct in its details and similar in its structural causes.
What the 911 Continuity Tells Us
The fact that Winona Countyβs emergency services β 911, fire, and emergency resources β continued to operate uninterrupted throughout the attack is significant, and not only for the obvious public safety reason. It suggests that the county had some degree of network segmentation in place, with critical public safety systems either isolated from or resilient enough to survive the compromise of the broader administrative network.
This is a meaningful design choice. In many ransomware attacks on municipalities, emergency dispatch systems have been disrupted or threatened. When they survive intact, it typically indicates that the organization made deliberate decisions β at some point β to treat public safety infrastructure as a separate, hardened environment.
That segmentation did not prevent the attack, and it did not protect the countyβs broader operations. But it protected the right things. The principle worth extracting for other county governments is this: if you cannot secure everything, be deliberate about what you prioritize and design your network accordingly. Critical public safety systems should be logically (and ideally physically) separated from administrative and back-office systems.
Emergency Declarations as Incident Response Tools
The countyβs use of a local state of emergency declaration deserves attention as a strategic incident response mechanism. Emergency declarations unlock procurement flexibility, enable mutual aid, and create legal clarity around the authority to act quickly. In a ransomware scenario where every hour of delay compounds the damage, the ability to bypass standard government procurement processes to engage vendors, authorize overtime, and access state and federal resources can materially change recovery timelines.
County governments that have not yet gamed out what a cyber emergency declaration looks like in their jurisdiction β what it authorizes, how long it lasts, what thresholds must be met β are leaving a critical tool unused. The Winona County model of immediate notification to law enforcement, engagement of third-party forensics, and emergency declaration represents the right sequence, even if the circumstances that made it necessary were entirely unwelcome.
Recommendations for County and Municipal Governments
The Winona County incident crystallizes several imperatives for local government cybersecurity programs:
Treat post-incident remediation as defense, not cleanup. The security improvements Winona County implemented after January appear to have improved detection in April. Every incident is an opportunity to reduce the attack surface for the next one.
Establish state-level relationships before the attack happens. The speed with which the Minnesota National Guard was deployed reflects pre-existing relationships and frameworks. Counties that wait until an attack to introduce themselves to state cyber resources will lose critical hours.
Segment and protect public safety systems. 911, emergency dispatch, and first responder communications should be treated as untouchable. Design, budget, and maintain them accordingly.
Understand your emergency declaration process. Know what a local state of emergency authorizes in your jurisdiction, and have internal consensus on who can declare one and under what conditions.
Assess your incident response maturity now, not after an attack. Tools like the IR Maturity Assessment can help county IT teams identify gaps before they are exploited. Understanding where you stand is a prerequisite for prioritizing limited resources effectively.
Model the financial impact. Ransomware incidents are expensive β in direct costs, recovery time, contractor fees, and lost productivity. The IR Cost Calculator can help county administrators build the internal case for security investment before a breach makes the argument for them in the worst possible way.
Conclusion
Winona Countyβs second ransomware attack of 2026 is not just a bad day for a small county in southeastern Minnesota. It is a diagnostic. It reveals what happens when threat actors recognize that a category of organization β the under-resourced county government β can be attacked repeatedly because the systemic conditions that enable those attacks have not been addressed.
The deployment of the Minnesota National Guard is a welcome and appropriate response. But it cannot be the only response. The structural vulnerabilities that made Winona County a target in January, and again in April, exist in thousands of counties across the country. The question is not whether another county will be hit next. The question is which one β and whether they will be ready.
