The **OnSolve CodeRED** emergency alert system, operated by **Crisis24**, was disrupted by a **cyberattack** attributed to the **INC Ransomware group**. The attack compromised the platform, exposing **personal data of users**, including **names, addresses, email addresses, phone numbers, and passwords**, raising concerns about credential reuse across other accounts. The INC Ransom group claimed to have **exfiltrated ~1.15 TB of data** before encrypting systems, with initial access gained on **November 1** and encryption deployed on **November 10**.Local governments reliant on CodeRED for emergency alerts were forced to seek alternatives, with some (e.g., **Douglas County Sheriff’s Office, Colorado**) terminating contracts due to **privacy concerns**, while others (e.g., **Craven County, North Carolina**) transitioned to temporary solutions like **media announcements and social media alerts**. Crisis24 is migrating users to a **new, audited CodeRED platform**, expected to be operational by **November 28**, but the outage has already **disrupted critical emergency communication services** across multiple U.S. jurisdictions. The attack also involved **failed ransom negotiations**, with Crisis24 allegedly offering **$150,000**, which the group rejected.
Source: https://thecyberexpress.com/us-codered-emergency-alert-system-cyberattack/
Crisis24 cybersecurity rating report: https://www.rankiteo.com/company/crisis24
"id": "CRI1092110112625",
"linkid": "crisis24",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Multiple U.S. local governments '
'(e.g., City of University Park, '
'Texas; Craven County, North '
'Carolina; Douglas County, '
'Colorado)',
'industry': 'emergency communication/alert systems',
'location': 'United States',
'name': 'Crisis24 (OnSolve)',
'type': 'private company'},
{'customers_affected': 'Residents of University Park',
'industry': 'public administration',
'location': 'University Park, Texas, U.S.',
'name': 'City of University Park, Texas',
'type': 'local government'},
{'customers_affected': 'Residents of Craven County',
'industry': 'public administration/emergency services',
'location': 'Craven County, North Carolina, U.S.',
'name': 'Craven County Emergency Services',
'type': 'local government'},
{'customers_affected': 'Residents of Douglas County',
'industry': 'public safety',
'location': 'Douglas County, Colorado, U.S.',
'name': 'Douglas County Sheriff’s Office',
'type': 'law enforcement'}],
'customer_advisories': ['Public statements by local governments on system '
'status and alternative alert methods'],
'data_breach': {'data_encryption': 'Yes (network encryption on 2023-11-10)',
'data_exfiltration': 'Yes (~1.15 TB of data exfiltrated, '
'including CSV files with client-related '
'data)',
'file_types_exposed': ['CSV files'],
'personally_identifiable_information': 'Yes (names, '
'addresses, email '
'addresses, phone '
'numbers, passwords)',
'sensitivity_of_data': 'High (includes names, addresses, '
'email addresses, phone numbers, '
'passwords)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'client-related data']},
'date_publicly_disclosed': '2023-11-24',
'description': 'Crisis24’s OnSolve CodeRED emergency alert system was '
'disrupted by a cyberattack attributed to the INC ransomware '
'group. The attack led to the exposure of personal user data, '
'including names, addresses, email addresses, phone numbers, '
'and passwords. Crisis24 is transitioning affected local '
'governments to a new, secure CodeRED platform that was '
'already under development. The INC ransomware group claimed '
'to have exfiltrated approximately 1.15 TB of data and '
'encrypted the network on November 10, 2023, after gaining '
'initial access on November 1, 2023. Some local governments, '
'such as Douglas County Sheriff’s Office, terminated their '
'contracts with CodeRED, while others awaited the rollout of '
'the new platform by November 28, 2023.',
'impact': {'brand_reputation_impact': 'High (loss of trust in emergency alert '
'system; contract terminations by '
'entities like Douglas County Sheriff’s '
'Office)',
'data_compromised': ['names',
'addresses',
'email addresses',
'phone numbers',
'passwords'],
'downtime': 'Ongoing until transition to new CodeRED platform '
'(expected by 2023-11-28 for some entities)',
'identity_theft_risk': 'High (exposure of personally identifiable '
'information, including passwords)',
'operational_impact': 'Disruption of emergency alert services for '
'local governments; reliance on alternative '
'communication methods (e.g., social media, '
'IPAWS, door-to-door notifications)',
'systems_affected': ['OnSolve CodeRED emergency alert system']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (data samples '
'published on INC Ransom’s '
'dark web leak site)'},
'investigation_status': 'Ongoing (transition to new platform; no details on '
'forensic investigation)',
'motivation': 'financial (ransom demand)',
'post_incident_analysis': {'corrective_actions': ['decommissioning of '
'compromised system',
'transition to new, secure '
'CodeRED platform',
'security audit and '
'penetration testing',
'system hardening']},
'ransomware': {'data_encryption': 'Yes (network encrypted on 2023-11-10)',
'data_exfiltration': 'Yes (~1.15 TB exfiltrated before '
'encryption)',
'ransom_paid': 'No (company offered USD $150,000, which was '
'refused by attackers)',
'ransomware_strain': 'INC Ransom'},
'references': [{'source': 'Cyble (threat intelligence report)'},
{'date_accessed': '2023-11-24',
'source': 'City of University Park, Texas - Public Statement'},
{'date_accessed': '2023-11-24',
'source': 'Craven County Emergency Services - Public '
'Statement'},
{'date_accessed': '2023-11-24',
'source': 'Douglas County Sheriff’s Office - Public '
'Statement'},
{'source': 'INC Ransom Dark Web Leak Site'}],
'response': {'communication_strategy': ['public statements by affected local '
'governments',
'advisories to change passwords for '
'other accounts if reused',
'updates via local media, websites, '
'and social media'],
'containment_measures': ['decommissioning of compromised OnSolve '
'CodeRED platform',
'transition to new, non-compromised '
'CodeRED environment'],
'incident_response_plan_activated': 'Yes (transition to new '
'CodeRED platform; security '
'audit and penetration '
'testing conducted)',
'recovery_measures': ['rollout of new CodeRED platform (expected '
'by 2023-11-28 for some entities)',
'use of alternative alert methods (e.g., '
'IPAWS, social media, door-to-door '
'notifications)'],
'remediation_measures': ['comprehensive security audit',
'external penetration testing',
'system hardening'],
'third_party_assistance': 'Yes (external experts engaged for '
'penetration testing and hardening of '
'new platform)'},
'stakeholder_advisories': ['Urged users to change passwords for other '
'accounts if the same password was reused'],
'threat_actor': 'INC Ransomware Group',
'title': 'Cyberattack on OnSolve CodeRED Emergency Alert System by INC '
'Ransomware Group',
'type': ['ransomware', 'data breach']}