A significant cybersecurity incident has hit the OnSolve CodeRED platform, a mass notification system widely used by US state and local governments for emergency alerts. The ransomware group INC, operating under a Ransomware-as-a-Service (RaaS) model, has claimed responsibility. The attack disrupted emergency notification workflows and led to the compromise of personal data belonging to CodeRED users across the United States.
What Is OnSolve CodeRED and Why the Breach Matters
CodeRED, operated by Crisis24, underpins critical public safety communications. Police departments, fire services, emergency management agencies, counties, and cities use the platform to send alerts about floods, wildfires, gas leaks, severe weather, missing persons, and other life-threatening situations.
This places CodeRED firmly within the realm of critical alerting infrastructure. Any prolonged outage or degradation can mean residents do not receive time-sensitive warnings. Security researchers consistently classify attacks on such systems as high-impact incidents, even when they are motivated by cybercrime rather than nation-state espionage or terrorism, because the consequences go beyond data loss and can affect physical safety.
Timeline and Tactics of the INC Ransomware Attack
According to statements from both the attackers and Crisis24, the INC group infiltrated OnSolve’s infrastructure on 1 November 2025. After an initial period of stealthy access and internal reconnaissance, the group triggered file encryption and launched the ransomware phase on 10 November 2025. This follows a typical ransomware playbook: establish foothold, move laterally, identify valuable systems, then encrypt and extort.
INC claims the company was prepared to pay a US$100,000 ransom, but negotiations failed. The attackers then allegedly refused to provide decryption keys and began offering stolen data for sale on dark web marketplaces, publishing screenshots that included user accounts and even plaintext passwords as proof of compromise.
Scope of the Data Breach and Affected Infrastructure
Crisis24 reports that the incident affected an older, legacy version of the CodeRED platform. The vendor emphasizes that other systems were not impacted, yet this older deployment was still actively used by numerous state and municipal customers nationwide, making the compromise operationally significant.
Exfiltrated data reportedly includes a broad set of personally identifiable information (PII): names, postal addresses, email addresses, phone numbers, and account passwords. The exposure of passwords is particularly serious. Many users still reuse credentials across multiple services; according to several industry studies, password reuse remains one of the most common security weaknesses, enabling attackers to perform “credential stuffing” against banking, email, and social media accounts.
Due to the damage to the environment, Crisis24 shut down the compromised legacy system and rebuilt services from backups on the newer CodeRED by Crisis24 platform. However, available backups were dated 31 March 2025, leaving a multi‑month data gap. Some records and user accounts did not migrate into the restored system, complicating the return to full operational capacity for many agencies.
Operational Impact on Authorities and Public Safety Agencies
Numerous counties, cities, and public safety organizations across the US reported significant disruption to emergency alert operations. Agencies had to troubleshoot delivery issues, rebuild contact lists, re-register users, and validate communication channels on short notice. For organizations that rely on rapid mass communication, this kind of forced reconfiguration can slow down response during critical events.
Some government customers have reportedly begun reconsidering or terminating contracts with CodeRED in light of the breach. For vendors serving the public sector, such incidents pose not only reputational damage but also regulatory and compliance risks, as contracts often mandate stringent data protection, incident response, and resilience requirements for critical services.
Risks for CodeRED Users and Recommended Security Actions
Because passwords and full contact details were exposed, all affected CodeRED users should immediately change their passwords on the platform and on any other services where the same or similar passwords may have been used. Best practice is to adopt unique, long, and complex passwords for every account, ideally managed through a reputable password manager and protected by multi-factor authentication (MFA/2FA) wherever possible.
Users should also be on high alert for targeted phishing attempts. With accurate names, phone numbers, and email addresses, attackers can craft convincing emails, SMS messages, or calls that appear to come from local authorities, banks, or major online services. Verifying messages via official channels and avoiding links or attachments in unsolicited communications is essential to reduce the risk of follow‑on fraud.
Key Lessons for Critical Infrastructure and Legacy Systems
The OnSolve CodeRED incident underscores how the compromise of even “old” or legacy platforms can have systemic consequences for both cybersecurity and physical safety. Many organizations in critical infrastructure sectors continue to rely on outdated systems because they are deeply integrated into operations, but these systems often lack modern security controls, segmentation, and monitoring.
Security best practices for such environments include regular security audits of legacy systems, planned decommissioning or modernization, strict access control and network segmentation, and tested backup and recovery strategies with sufficiently frequent restore points. Industry reports, such as IBM’s “Cost of a Data Breach,” consistently show that robust backup and incident response planning significantly reduces downtime and financial impact in ransomware scenarios.
The CodeRED ransomware attack is a reminder that emergency communication platforms, government agencies, and end users share responsibility for resilience. Organizations must harden and modernize critical infrastructure, while individuals strengthen their own account security. Investing in better cyber hygiene today is no longer optional; it is a prerequisite for maintaining trust and safety in an increasingly digital public safety ecosystem.
