OnSolve (Crisis24)

The INC ransomware-as-a-service gang executed a cyberattack on **OnSolve’s CodeRED platform**, a critical emergency notification system used by U.S. state/local governments, police, and fire departments. The intrusion led to **data theft**—including users' **names, addresses, phone numbers, emails, and passwords**—though no misuse has been detected yet. The attackers **encrypted data on November 10** after initial access on **November 1** and later **offered the stolen data for sale** following OnSolve’s refusal to pay the ransom. The disruption **crippled emergency alert systems**, potentially delaying life-saving communications for public safety agencies. INC Ransomware, active for over two years, has previously targeted high-profile victims like **Xerox, Ahold Delhaize, and Scotland’s NHS**, reinforcing its reputation as a persistent and damaging threat actor.

Source: https://www.scworld.com/brief/us-emergency-alert-systems-hit-by-onsolve-codered-cyberattack

TPRM report: https://www.rankiteo.com/company/emergency-communications-network-llc

"id": "eme2692726112625",
"linkid": "emergency-communications-network-llc",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"

{'affected_entities': [{'customers_affected': 'Multiple U.S. state/local '
                                              'governments, police, and fire '
                                              'departments',
                        'industry': 'risk management / emergency notification '
                                    'services',
                        'location': 'United States',
                        'name': 'Crisis24 (OnSolve CodeRED)',
                        'type': 'private company'},
                       {'industry': 'public administration',
                        'location': 'United States',
                        'name': 'U.S. state and local governments (multiple)',
                        'type': 'government'},
                       {'industry': 'public safety',
                        'location': 'United States',
                        'name': 'U.S. police and fire departments (multiple)',
                        'type': 'government'}],
 'customer_advisories': 'Users notified of data breach (names, addresses, '
                        'phone numbers, emails, passwords compromised)',
 'data_breach': {'data_encryption': 'Yes (ransomware encryption on November '
                                    '10)',
                 'data_exfiltration': 'Yes (data stolen and offered for sale)',
                 'personally_identifiable_information': ['names',
                                                         'addresses',
                                                         'phone numbers',
                                                         'email addresses'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['personally identifiable '
                                              'information (PII)',
                                              'authentication credentials']},
 'date_publicly_disclosed': '2023-11-01',
 'description': 'Multiple U.S. state and local governments, police, and fire '
                'departments experienced disruptions in their emergency '
                "notification systems due to a cyberattack on Crisis24's "
                'OnSolve CodeRED platform. The INC ransomware-as-a-service '
                'gang claimed responsibility, stealing user data including '
                'names, addresses, phone numbers, email addresses, and '
                'passwords. The attack occurred on November 1, with data '
                'encryption on November 10. The stolen data was offered for '
                'sale after Crisis24 reportedly refused to pay the ransom.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'data breach and service disruption',
            'data_compromised': ['names',
                                 'addresses',
                                 'phone numbers',
                                 'email addresses',
                                 'passwords'],
            'identity_theft_risk': 'High (due to exposure of PII)',
            'operational_impact': 'Disruption of emergency notification '
                                  'systems for U.S. state/local governments, '
                                  'police, and fire departments',
            'systems_affected': ['OnSolve CodeRED platform']},
 'initial_access_broker': {'data_sold_on_dark_web': 'Yes (after ransom '
                                                    'refusal)',
                           'high_value_targets': ['OnSolve CodeRED platform']},
 'investigation_status': 'Ongoing (no misuse of stolen data observed as of '
                         'disclosure)',
 'motivation': ['financial gain', 'data theft'],
 'ransomware': {'data_encryption': 'Yes (on November 10)',
                'data_exfiltration': 'Yes (data stolen prior to encryption)',
                'ransom_demanded': 'Yes (amount undisclosed)',
                'ransom_paid': 'No (reportedly refused by Crisis24)',
                'ransomware_strain': 'INC ransomware'},
 'references': [{'source': 'BleepingComputer'}],
 'response': {'communication_strategy': 'Public disclosure of breach; emphasis '
                                        'on no observed misuse of stolen data'},
 'threat_actor': 'INC ransomware-as-a-service gang',
 'title': "Cyberattack on Crisis24's OnSolve CodeRED Platform by INC "
          'Ransomware Gang',
 'type': ['cyberattack', 'ransomware', 'data breach']}