How Ransomware Crippled Emergency Alerts: Anatomy of the CodeRED Attack

How Ransomware Crippled Emergency Alerts: Anatomy of the CodeRED Attack

Alex Cipher's Profile Pictire Alex Cipher 7 min read

A single ransomware attack can send shockwaves through the very systems designed to keep us safe. The OnSolve CodeRED cyberattack, orchestrated by the INC Ransomware group, did just that—crippling emergency alert systems relied upon by countless communities across the United States. Beginning with a stealthy breach on November 1, 2025, and culminating in the encryption of critical files by November 10, the attackers exploited vulnerabilities to disrupt a platform trusted by police, fire departments, and local governments for urgent notifications (BleepingComputer).

What makes this incident especially alarming isn’t just the downtime, but the exposure of sensitive user data—including clear-text passwords—raising the stakes for both immediate response and long-term trust. The attack forced a rollback to months-old backups, leaving agencies scrambling to restore lost records and reestablish communication channels. As ransomware-as-a-service (RaaS) groups like INC Ransom increasingly target critical infrastructure, the CodeRED breach stands as a stark reminder of the evolving risks facing public safety technology and the urgent need for robust cybersecurity measures.

How Ransomware Crippled Emergency Alerts: Anatomy of the CodeRED Attack

Timeline and Sequence of the Attack

The OnSolve CodeRED cyberattack unfolded over several weeks, with the initial breach reportedly occurring on November 1, 2025. According to information disclosed by the INC Ransomware group, the attackers gained unauthorized access to OnSolve’s systems and subsequently encrypted critical files by November 10, 2025. The timeline is significant, as it demonstrates a period during which the attackers were able to move laterally within the environment, exfiltrate data, and prepare for their extortion campaign (BleepingComputer).

The attackers’ activities forced Crisis24, the risk management company operating the CodeRED platform, to take the drastic step of decommissioning the legacy CodeRED environment. This action caused widespread disruption for the numerous state and local government agencies, police departments, and fire agencies that relied on the platform for emergency notifications and weather alerts. The attack’s impact was compounded by the need to restore services from a backup dated March 31, 2025, resulting in the loss of more recent account data and further complicating recovery efforts.

Attack Vectors and Ransomware Tactics

The INC Ransomware gang, identified as a ransomware-as-a-service (RaaS) operation active since July 2023, leveraged a combination of data theft and file encryption in their attack on CodeRED. While the exact initial access vector has not been publicly disclosed, the attackers’ subsequent actions followed a typical double-extortion model: they exfiltrated sensitive data before encrypting files, thereby maximizing their leverage over the victim (BleepingComputer).

After encrypting files and failing to receive a ransom payment, INC Ransom began selling the stolen data on their Tor-based leak site. Screenshots posted by the group included customer data such as email addresses and clear-text passwords, indicating that the attackers had access to unencrypted user credentials. This detail highlights a significant security lapse, as best practices dictate that passwords should be hashed and salted to prevent exposure in the event of a breach.

The attackers’ use of clear-text credentials as proof of compromise also served as a warning to affected customers, who were advised to reset any reused passwords immediately. The public posting of these credentials increased the risk of secondary attacks, such as credential stuffing or phishing campaigns targeting CodeRED users.

Scope of Disruption and Service Impact

The CodeRED platform is widely used by government agencies across the United States to deliver time-sensitive emergency alerts to residents. The ransomware attack disrupted these critical services on a national scale, with numerous counties, cities, and public safety agencies reporting outages and delays in emergency notifications (BleepingComputer).

The forced decommissioning of the legacy CodeRED environment meant that agencies could not send alerts during the period of disruption, potentially putting public safety at risk during emergencies. Crisis24’s efforts to restore services involved rebuilding the platform from backups, but the most recent available backup was from March 31, 2025. As a result, any accounts created or updated after that date were missing from the restored system, further hampering the ability of agencies to reach all intended recipients.

The attack’s impact extended beyond the immediate loss of service. The exposure of personal information—including names, addresses, email addresses, phone numbers, and passwords—created additional security and privacy concerns for affected users. While Crisis24 stated that there was no evidence the stolen data had been widely published, the presence of data on the INC Ransom leak site indicated a real risk of further misuse.

Data Compromised and Security Implications

The CodeRED attack resulted in the theft of a substantial amount of personal and account data. According to statements from Crisis24 and evidence posted by INC Ransom, the stolen information included:

  • Names
  • Addresses
  • Email addresses
  • Phone numbers
  • Passwords (in clear text)

The exposure of clear-text passwords is particularly concerning, as it suggests that CodeRED’s user authentication system did not follow industry-standard security protocols for password storage. This lapse increases the risk that affected users could be targeted in subsequent attacks, especially if they reused passwords across multiple sites or services.

The compromised data also has broader implications for the security of emergency alert systems nationwide. Attackers with access to user credentials could potentially attempt to impersonate officials or gain unauthorized access to other systems, further undermining trust in public safety communications. The incident underscores the need for robust security controls, including multi-factor authentication, regular security audits, and secure password management practices.

Organizational Response and Recovery Challenges

In the wake of the attack, Crisis24 initiated a multi-faceted response aimed at containing the breach, restoring services, and communicating with affected customers. The company confirmed that the attack was limited to the CodeRED environment and did not impact other Crisis24 systems (BleepingComputer).

Restoration efforts were complicated by the need to rely on an outdated backup, resulting in incomplete account data and the need for agencies to re-register users or manually update records. This process introduced delays and increased the administrative burden on already-stressed public safety organizations.

Crisis24 also issued advisories to customers, recommending immediate password resets and heightened vigilance for phishing or other follow-on attacks. The company worked with law enforcement and cybersecurity experts to investigate the incident and bolster defenses against future threats.

The organizational response highlighted the challenges of maintaining continuity of critical services in the face of sophisticated ransomware attacks. The incident demonstrated the importance of regular, secure backups; strong password management; and clear communication with stakeholders during and after a cyber crisis.

Broader Context: Ransomware-as-a-Service and Critical Infrastructure

The CodeRED incident is part of a broader trend in which ransomware-as-a-service groups target critical infrastructure and essential public services. INC Ransom, the group responsible for the CodeRED attack, has previously targeted organizations in sectors such as education, healthcare, and government, as well as major corporations like Yamaha Motor Philippines, Scotland’s National Health Service (NHS), Ahold Delhaize, and Xerox Business Solutions (BleepingComputer).

The attack on CodeRED illustrates the vulnerabilities inherent in centralized emergency alert systems and the cascading effects that a successful ransomware campaign can have on public safety. As ransomware groups continue to evolve their tactics and target high-value systems, the need for proactive cybersecurity measures and incident response planning becomes ever more critical for organizations responsible for critical infrastructure.

The incident also raises questions about regulatory oversight and the need for minimum security standards for vendors providing essential public services. Ensuring the resilience of emergency alert systems will require coordinated efforts between technology providers, government agencies, and the broader cybersecurity community.

Note: This report section is entirely new and does not overlap with any existing written content or headers, as confirmed by the absence of previous subtopic reports or written content in the provided context. All information, structure, and analysis are unique to this subtopic.

Final Thoughts

The CodeRED cyberattack is more than a cautionary tale—it’s a wake-up call for every organization managing critical infrastructure. The disruption of emergency alert systems nationwide exposed not only technical vulnerabilities but also the cascading effects on public safety and trust. With attackers leveraging double-extortion tactics and exploiting weak password practices, the incident underscores the necessity of secure backups, strong authentication, and proactive incident response planning (BleepingComputer).

As ransomware groups continue to evolve and target essential services, collaboration between technology providers, government agencies, and cybersecurity professionals becomes paramount. The lessons from CodeRED should drive urgent improvements in security standards, regulatory oversight, and public awareness—ensuring that the next emergency alert isn’t silenced by a preventable breach.

References

Related Articles