Winona’s Ransomware Fire Drill: When the Guard Becomes the Firewall

That burnt-electronics smell is the kind of warning you cannot ignore. In this case, it came from Winona County’s networks after a ransomware attack, turning the daily digital neighborhood into something that sputters and stalls when you need it most.

Minnesota National Guard deployed to help Winona County

According to reporting on April 10, 2026, Gov. Tim Walz authorized the Minnesota National Guard to help Winona County respond after the county detected a ransomware attack on Tuesday. The county said affected systems were taken offline and residents should expect delays, while emergency services continued to operate. In other words: the plug got pulled to protect operations, but key services stayed up.

The county also described this as a separate incident from a January cyberattack. Officials said their preliminary investigation indicated it was not the same cybercriminal as the previous hit. That distinction matters because response work depends on knowing what threat actor you are dealing with, and what you might have to hunt for next.

Walz called the Guard, and the Guard brought expertise

Reporting described the Guard sending 15 experts from its cybersecurity team. The county’s emergency management director, Ben Klinger, said the experts helped local staff work faster and more deeply as the county hardened its network and added even more security. In additional accounts, Klinger and state and federal partners described taking the network offline out of caution, then restoring systems in phases while verifying each system’s security before bringing it back online.

Lt. Col. Brian Morgan, a Guard cyber coordination cell director, said these threat actors are typically financially motivated. The playbook described was straightforward: they try to gain access, ransom availability of the network, then, if they can, seek data and attempt extortion by threatening to release stolen information unless they get paid.

Why local governments are easy targets

University of Minnesota professor Jonathan Wrolstad explained that cities and counties often have fewer resources than larger organizations, yet still must keep day-to-day services running. That pressure can make them lucrative targets because ransomware crews know public-facing services cannot simply go dark.

What it means: cyber is part of national defense

When the Guard has to step into the IT gap, the lesson is hard to miss. Cybersecurity is not just an optional technical task. It is part of national defense because local systems support how the nation functions. Take down a county’s main network and you can get delays that regular Americans rely on. Take down emergency-adjacent systems and you risk slowing help when seconds matter.

Winona County took affected systems offline and worked to restore in phases, and the Guard provided expertise when it mattered. Now, officials and decision-makers should treat cybersecurity readiness as essential, with serious resourcing, faster threat intelligence sharing, accountability for underinvestment, and practical recovery playbooks that anticipate attacks rather than improvise after the fact.