Interlock Claims Responsibility for Winona County Breach

Author

Taylor Hawes
May 01, 2026

⚡ Weekend Threat Brief

Interlock Claims Responsibility for Winona County Breach

The ransomware group Interlock has claimed responsibility for the April cyberattack on Winona County, Minnesota. The county first disclosed the incident on April 9 after taking systems offline to contain the attack. Residents were warned to expect service delays while recovery efforts began.

Interlock says it stole more than two million files and has posted sample documents on its leak site to support its claim. Winona County has confirmed that data taken during the attack was later released online, though officials have not verified the group’s full claims. The county has also declined to disclose what information was exposed, whether a ransom was demanded, or if any payment was made.

This was the county’s second ransomware incident in 2026. A separate attack in January led to a state of emergency. County officials say the April attack was carried out by a different threat actor. They also noted that security upgrades already underway helped detect and contain the second breach more quickly.

Takeaway: 

  • Repeat ransomware attacks often expose lingering weaknesses or incomplete recovery efforts

  • Data theft now remains a major risk even when systems are restored quickly

  • Security improvements made after an initial attack can greatly improve detection and response during future incidents

🎯 Tactical Playbook

Why Lawmakers Are Scrutinizing Chinese AI in Critical Infrastructure

U.S. lawmakers are examining the cybersecurity risks tied to Chinese-built AI models deployed in critical infrastructure. The concern is not only data privacy. It is also about supply chain trust, model integrity, and the possibility of hidden vulnerabilities in systems that support power grids, manufacturing plants, and transportation networks.

As AI becomes part of operational technology, the attack surface grows. Organizations must treat AI models as software supply chain assets, subject to the same security reviews, testing, and governance controls as any other critical component.

Key Takeaway:

  • AI models should undergo security reviews before deployment in critical environments

  • Provenance, training data, and update mechanisms matter as much as model performance

  • Critical infrastructure operators should require strong vendor transparency and independent validation

🛡️ Research Watch

NSA and Global Partners Issue New Guidance on Agentic AI Security

The National Security Agency, together with international cybersecurity partners, has released new guidance on securing agentic AI systems. These systems can make decisions and take actions with limited human input, which raises both opportunity and risk.

The guidance focuses on secure design, access controls, oversight, and clear operational boundaries. As organizations begin using autonomous AI for security, operations, and analysis, governance must keep pace. Autonomy without guardrails is simply risk at machine speed.

 

🧩 Tool Tip of the Week

Get More From PRTG With Dependency Mapping

In Paessler PRTG Network Monitor, use device dependencies to reduce alert noise during outages. When a core router or switch fails, dozens of downstream devices can trigger separate alerts. Dependency mapping tells PRTG which systems rely on others.

When the parent device goes down, PRTG suppresses child alerts automatically. That gives your team one actionable incident instead of a flood of false alarms. It is one of the easiest ways to improve signal-to-noise ratio in a busy monitoring environment.

🗣️ Community Signal

The reality of today’s cybersecurity landscape is a cycle of noise and reactive patches. Organizations are currently struggling with "vulnerability fatigue," a state where security teams are overwhelmed by thousands of alerts, most of which are never addressed due to manual constraints and a global shortage of experts. - Dragan Pleskonjic, Founder & CEO @ Glog.AI

🗳️ Your Take - The Results

Advertise with Comparitech
Does your business offer services or products in cybersecurity? Get your product seen by IT leaders and professionals.

Advertise with us →

Until Monday’s edition - Let’s keep that zero-day count at zero!

*Terms & Conditions apply. Not available if with Metro in the last 180 days. If using >35GB/mo. May notice reduced speeds.