A cyberattack struck Winona County, Minnesota on Monday, April 6, 2026, disrupting critical county systems and digital services and prompting Governor Tim Walz to issue an executive order activating the Minnesota National Guard. The attack continued into Tuesday, April 7, significantly impairing the county’s ability to deliver emergency and municipal services. It is the second major cyber incident to hit the county in less than three months.
County officials confirmed that 911 and emergency response systems remained operational throughout the incident. Beyond that, details on which systems were affected and the full scope of the disruption were not immediately available. County Board Chair Chris Meyer said she learned of the attack on Tuesday and that computer systems were down across departments. County Administrator Maureen Holte was working to respond to inquiries but had not provided detailed public information by time of publication.
Scale Forced the State’s Hand
Winona County did not call in the National Guard by choice. Officials confirmed the scale and complexity of the attack exceeded both internal response capacity and the capabilities of external commercial cybersecurity contractors already engaged. That determination triggered a formal request for cyber protection support from the Minnesota National Guard, which Walz authorized through executive order effective immediately.
Under the order, the Adjutant General is authorized to deploy personnel, equipment, and other resources to support the response. The state’s general fund will cover associated costs. The county is coordinating with Minnesota Information Technology Services, the Minnesota Bureau of Criminal Apprehension, the League of Minnesota Cities, the FBI, and outside cybersecurity specialists.
“Cyberattacks are an evolving threat that can strike anywhere, at any time,” Walz said in a statement. “Swift coordination between state and local experts matters in these moments. That’s why I am authorizing the National Guard to support Winona County as they work to protect critical systems and maintain essential services.”
The January Ransomware Attack Was Never Fully Behind Them
The April attack arrives as a painful echo of a ransomware incident Winona County first disclosed on January 23, 2026. That attack knocked out phone lines, took internal networks offline, and forced the county recorder’s office to halt real estate transaction processing. County Board Chair Meyer declared a local emergency under Minnesota Statute 12.29, allowing the county to access state and federal assistance and establish an emergency command center.
The January incident took weeks to resolve. By February 20, the county reported that most offices had resumed normal operations but warned residents that some public-facing systems remained in a phased restoration process. The county worked throughout that period with third-party cybersecurity and data forensics experts alongside local, state, and federal law enforcement. No ransomware group publicly claimed responsibility for the January attack, and no attribution was ever made public.
County Recorder Bob Bambenek, whose department bore the brunt of the January disruption, confirmed the county had experienced another issue with systems down. The recurrence in such a compressed timeframe raises serious questions about whether the January incident was fully remediated before the April attack began, and whether the two events share any connection.
A Pattern Playing Out Across Minnesota
Winona County is not an isolated case. Minnesota has seen a string of local government cyber incidents over the past year. A ransomware attack disrupted Mower County services in June 2025. St. Paul declared a local emergency that same summer following a cyberattack that also prompted Governor Walz to activate the National Guard’s cyber protection team. North St. Paul separately investigated an intrusion involving its police department detected in late July 2025. The Minneapolis Park and Recreation Board lost phone systems to a cyberattack in November 2024.
The pattern reflects a documented national trend. Smaller counties and municipalities are increasingly targeted precisely because they operate aging infrastructure, carry tight IT budgets, and often lack the in-house expertise to detect and contain sophisticated intrusions. When those attacks hit, the gap between what local teams can handle and what the incident actually requires becomes immediately apparent, as it did in Winona County on both occasions.
No Attribution, Investigation Ongoing
No threat actor has claimed responsibility for the April 6 attack. The nature of the attack, whether ransomware, a destructive wiper, or something else, has not been publicly confirmed by county or state officials. The involvement of the FBI and the Minnesota Bureau of Criminal Apprehension suggests the incident is being treated as a serious criminal matter. Attribution and a full assessment of impacted systems are expected to emerge as the investigation progresses.
