The **CodeRED** emergency notification system, operated by **Crisis24**, suffered a **ransomware attack** by the hacker group **INCRansom**, forcing the company to decommission its legacy infrastructure. The attack disrupted services for multiple organizations nationwide, including the **City of Worcester’s AlertWorcester system**, rendering it unavailable. The breach resulted in the theft of sensitive user data, including **names, addresses, email addresses, phone numbers, and passwords** from CodeRED profiles. While Crisis24 is rebuilding the system using backups from **March 31, 2025**, some user accounts will be missing. The stolen data is being sold by the hackers, though no evidence of it being publicly leaked has been confirmed. Ransom negotiations failed, exacerbating the incident’s impact. The outage has left municipalities and emergency services without critical alert capabilities, posing risks to public safety communication.
Source: https://thisweekinworcester.com/alertworcester-data-breach-service-down/
Crisis24 cybersecurity rating report: https://www.rankiteo.com/company/crisis24
"id": "CRI5871558112725",
"linkid": "crisis24",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'AlertWorcester users (subset of '
'CodeRED users)',
'industry': 'public administration',
'location': 'Worcester, Massachusetts, USA',
'name': 'City of Worcester',
'type': 'municipal government'},
{'customers_affected': 'organizations nationwide using '
'CodeRED',
'industry': 'emergency notification services',
'name': 'Crisis24 (formerly OnSolve)',
'type': 'private company'}],
'customer_advisories': ['password change advisory for AlertWorcester users'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['names',
'addresses',
'email addresses',
'phone numbers'],
'sensitivity_of_data': 'high (includes passwords, which may '
'be reused across services)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'authentication credentials']},
'description': 'The City of Worcester announced that its automated emergency '
'notification system, AlertWorcester (powered by third-party '
'system CodeRED by Crisis24), is unavailable due to a '
'cyberattack. The attack forced Crisis24 to decommission the '
'legacy CodeRED environment, disrupting services for '
'organizations nationwide. The company is rebuilding the '
'system using data backups from March 31, 2025, meaning some '
'user accounts will be missing. The attack also resulted in '
'data theft, including names, addresses, email addresses, '
'phone numbers, and passwords from CodeRED user profiles. The '
'INCRansom hacker group claimed responsibility and began '
'selling samples of the stolen data after failed ransom '
'negotiations.',
'impact': {'brand_reputation_impact': 'potential reputational damage to '
'Crisis24 and affected municipalities '
'(e.g., Worcester)',
'data_compromised': ['names',
'addresses',
'email addresses',
'phone numbers',
'passwords'],
'downtime': 'ongoing (system being rebuilt from backups as of '
'March 31, 2025)',
'identity_theft_risk': 'high (due to compromised PII, including '
'passwords reused across platforms)',
'operational_impact': 'disruption of emergency notification '
'services for the City of Worcester and '
'other organizations nationwide',
'systems_affected': ['AlertWorcester (CodeRED by Crisis24)',
'legacy CodeRED environment']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['CodeRED user database']},
'investigation_status': 'ongoing (system rebuild in progress; stolen data not '
'yet found online)',
'motivation': ['financial gain', 'data theft'],
'post_incident_analysis': {'corrective_actions': ['system rebuild on new '
'infrastructure']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': ['Users should change passwords if reused across other '
'platforms.',
'Organizations should ensure backup integrity and test '
'restoration procedures.',
'Multi-factor authentication (MFA) should be enforced for '
'emergency notification systems.'],
'references': [{'source': 'bleepingcomputer.com'},
{'source': 'Infosecurity Magazine'}],
'response': {'communication_strategy': ['public advisory by City of Worcester',
'password change recommendations for '
'users'],
'containment_measures': ['decommissioning of legacy CodeRED '
'environment'],
'incident_response_plan_activated': True,
'remediation_measures': ['rebuilding system on new '
'infrastructure',
'restoring from March 31, 2025 '
'backups']},
'stakeholder_advisories': ['City of Worcester public announcement'],
'threat_actor': 'INCRansom',
'title': 'Cyberattack on CodeRED by Crisis24 Disrupts AlertWorcester '
'Emergency Notification System',
'type': ['cyberattack', 'ransomware', 'data breach']}