Governor Walz Activates National Guard Following Ransomware Strike on Winona County

WINONA, MN — Governor Tim Walz has signed an executive order authorizing the Minnesota National Guard to provide emergency cyber assistance to Winona County as the municipality struggles to recover from a persistent ransomware attack. The activation marks a significant escalation in the state’s tactical response to a localized breach, signaling the severity of the disruption to county services.

Emergency Assistance Triggered

The decision to deploy the National Guard’s Cyber Protection Team (CPT) follows a series of updates from county officials indicating that the intrusion, first detected in late January, has significantly hampered the local computer network. According to reports from KTTC and News 8000, the specialized military unit will assist with forensic analysis, system restoration, and the hardening of network perimeters that were bypassed during the initial attack.

While Winona County has worked with private forensic firms and the Minnesota IT Services (MNIT) since the incident began, the Governor’s emergency order provides the additional "boots on the ground" technical expertise required to accelerate recovery.

A Year of Escalating Threats in Minnesota

The strike on Winona County is not an isolated event. Security analysts note that Minnesota’s public sector has faced an aggressive barrage of digital threats over the past 14 months. KSTP recently reported that local governments in the state are facing attempted cyber intrusions "almost every day."

Winona County itself has been battling this specific incident since early 2026. Reports from The Cyber Express and The Record suggest a multi-stage ransomware event where attackers initially gained access in January, leading to a network-wide shutdown in February. The continued need for National Guard intervention in April underscores the "sticky" nature of modern ransomware, where eradicating the threat actor is often more complex than simply restoring files from backups.

Statewide Resilience Strategy

The activation of the National Guard reflects a growing national trend where state governors utilize military cyber capabilities to support under-resourced local municipalities. "This isn't just about Winona," noted one security researcher cited by StateScoop. "It’s about preventing lateral movement between county systems and the state backbone."

In addition to Winona, other Minnesota agencies have reported "near-miss" incidents and credential-stuffing attacks throughout 2025 and 2026. The state’s pivot toward military-grade assistance suggests that the volume of municipal attacks has begun to exceed the capacity of civilian state IT resources.

Primary Intel & Reports: MPR News, The Record, KTTC News, KSTP

The CyberSignal Analysis

The Winona County intervention is a critical case study in "Resource Exhaustion" at the local government level.

• The Lingering Intrusion: The timeline — from January detection to April National Guard activation — highlights a dangerous "Recovery Gap." Many local governments lack the deep-bench forensics required to ensure an attacker hasn't left behind persistent backdoors.
• National Guard as the "Digital Reserve": Utilizing the National Guard for municipal breaches is a high-impact but finite solution. As attacks on local governments become "daily" events, the state must transition from Emergency Activation to Proactive Shared Services, where smaller counties benefit from a centralized, state-funded security operations center (SOC).
• Operational Takeaway: Municipalities must prioritize Offline Immutable Backups. Ransomware actors are increasingly targeting backup servers first. If Winona County’s recovery requires military intervention months after the fact, it suggests the original restoration path was likely compromised or destroyed.