A widespread cyberattack on Crisis24’s OnSolve CodeRED platform severely disrupted emergency notification services employed by state and local governments, law enforcement, and fire agencies nationwide. The CodeRED system is a vital communication tool used to send alerts for emergencies such as severe weather, public safety warnings, and other urgent notifications.
Attack Causes Legacy System Shutdown and Data Theft
Due to the attack, Crisis24 was forced to permanently decommission the legacy CodeRED environment, causing operational outages for many public safety organizations reliant on the platform. Crisis24 confirmed the breach was confined to the CodeRED environment and no other systems were compromised.
Investigators revealed that the attackers stole data including names, addresses, email addresses, phone numbers, and passwords linked to CodeRED user profiles. Although no public leakage has been detected so far, several agencies including the City of University Park, Texas, have warned users to remain vigilant.
Ransomware Gang Claims Responsibility, Sells Stolen Data
The INC Ransomware gang, a ransomware-as-a-service operation active since mid-2023, has claimed responsibility for the attack. The group published details and screenshots of stolen customer data on their Tor leak site. They reportedly infiltrated OnSolve’s systems in early November 2025, encrypted files mid-month, and, after ransoms were not paid, started selling the data.
Customers are strongly advised to reset any reused passwords across different services, given that compromised passwords were shared in clear text.
Recovery Efforts and System Rebuild Underway
Crisis24 is rebuilding CodeRED services using backups from March 31, 2025, which means some recent account data may be lost. Various counties and agencies across the U.S. are actively working to restore their emergency alert capabilities to ensure public safety communications return to normal promptly.
This incident highlights the increasing threat ransomware groups pose to critical infrastructure sectors, including government and emergency services, emphasizing the urgent need for robust cybersecurity measures and rapid incident response capabilities.
