Crisis24’s **OnSolve CodeRED**, a widely used emergency notification system for law enforcement and municipalities, was **permanently shut down** following a **targeted ransomware attack** by an organized cybercriminal group (claimed by **INC ransomware**). The attack **compromised the CodeRED environment**, leading to the **theft and leak of personally identifiable information (PII)**—including names, addresses, emails, phone numbers, and passwords—of users subscribed to the service. While the breach was **contained within the legacy system**, dozens of agencies lost access to emergency alerts for **two weeks**, disrupting public safety communications. Crisis24 decommissioned the platform, accelerated migration to a new system, and initiated security audits. The incident forced some customers, like the **Douglas County Sheriff’s Office (Colorado)**, to **terminate contracts**, citing loss of trust. The **government’s Emergency Alert System remained unaffected**, but the attack exposed critical vulnerabilities in public warning infrastructure, raising concerns over **data security and operational resilience** in emergency services.
Source: https://cyberscoop.com/crisis24-onsolve-codered-emergency-system-ransomware/
Emergency Communications Network cybersecurity rating report: https://www.rankiteo.com/company/emergency-communications-network-llc
"id": "EME5262152112725",
"linkid": "emergency-communications-network-llc",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'Dozens of law enforcement '
'agencies and municipalities',
'industry': 'Emergency Notification Services / Public '
'Safety',
'location': 'USA (nationwide service)',
'name': 'OnSolve CodeRED (by Crisis24)',
'type': 'Private Company'},
{'industry': 'Law Enforcement',
'location': 'Colorado, USA',
'name': 'Douglas County Sheriff’s Office (Colorado)',
'type': 'Government Agency'}],
'customer_advisories': 'Users advised to change passwords for accounts where '
'CodeRED credentials were reused',
'data_breach': {'data_exfiltration': 'Yes (PII leaked on dark web by INC '
'ransomware)',
'personally_identifiable_information': ['Names',
'Addresses',
'Email addresses',
'Phone numbers',
'Passwords'],
'sensitivity_of_data': 'High (includes passwords, which may '
'be reused across accounts)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': 'Early [Month, Year] (exact date not specified)',
'date_publicly_disclosed': '[Day, Month, Year] (Wednesday statement, exact '
'date not specified)',
'description': 'OnSolve CodeRED, a voluntary, opt-in emergency notification '
'system used by law enforcement agencies and municipalities, '
'was permanently shut down following a ransomware attack. The '
'attack, attributed to the INC ransomware group, resulted in '
'data theft, including personally identifiable information '
'(PII) of users. The legacy system was decommissioned, and '
'customers were migrated to a new platform. Dozens of agencies '
'were left without access to emergency notifications for '
'approximately two weeks.',
'impact': {'brand_reputation_impact': 'High (permanent shutdown of legacy '
'system; public disclosure of PII '
'breach)',
'customer_complaints': 'Reported (e.g., Douglas County Sheriff’s '
'Office terminated contract)',
'data_compromised': ['Names',
'Addresses',
'Email addresses',
'Phone numbers',
'Passwords'],
'downtime': 'Approximately two weeks (for dozens of agencies)',
'identity_theft_risk': 'High (PII leaked, including passwords '
'reused across accounts)',
'operational_impact': 'Loss of emergency notification capabilities '
'for affected agencies; permanent '
'decommissioning of legacy CodeRED platform',
'systems_affected': ['OnSolve CodeRED legacy platform']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (PII leaked by INC '
'ransomware)',
'high_value_targets': ['OnSolve CodeRED legacy '
'platform']},
'investigation_status': 'Ongoing (law enforcement notified)',
'lessons_learned': 'Legacy systems are high-risk targets for ransomware; '
'importance of system isolation and accelerated migration '
'to secure platforms; need for robust password policies to '
'mitigate credential reuse risks.',
'motivation': 'Financial (ransomware) / Data Theft',
'post_incident_analysis': {'corrective_actions': ['Decommissioning of legacy '
'platform; migration to '
'new, secure platform; '
'security audit and '
'penetration testing'],
'root_causes': ['Targeted ransomware attack by '
'organized cybercriminal group '
'(INC); vulnerabilities in legacy '
'system']},
'ransomware': {'data_encryption': 'Likely (system damage reported)',
'data_exfiltration': 'Yes (PII leaked)',
'ransomware_strain': 'INC Ransomware'},
'recommendations': ['Implement multi-factor authentication (MFA) for user '
'accounts',
'Conduct regular security audits and penetration testing '
'for critical systems',
'Ensure clear segmentation between legacy and new systems',
'Provide timely and transparent communication to affected '
'users and stakeholders',
'Encourage users to avoid password reuse across '
'platforms'],
'references': [{'source': 'Crisis24 Public Statement'},
{'source': 'Douglas County Sheriff’s Office Advisory'},
{'source': 'INC Ransomware Data Leak Site'}],
'response': {'communication_strategy': 'Public statements, customer '
'notifications, and advisories to '
'affected users (e.g., password change '
'recommendations)',
'containment_measures': 'Isolation of legacy CodeRED '
'environment; decommissioning of '
'affected system',
'incident_response_plan_activated': 'Yes (forensic analysis, '
'security audit, third-party '
'penetration testing)',
'law_enforcement_notified': 'Yes',
'network_segmentation': 'Yes (legacy system isolated from new '
'platform)',
'recovery_measures': 'Transition to new platform; customer '
'notifications and advisories',
'remediation_measures': ['Accelerated rollout of new CodeRED '
'platform',
'Migration of all customers to new '
'system',
'Security audit and penetration '
'testing'],
'third_party_assistance': 'Yes (penetration testing, security '
'audit)'},
'stakeholder_advisories': 'Customers notified; agencies advised to warn users '
'about PII exposure and password reuse risks',
'threat_actor': 'INC Ransomware (organized cybercriminal group)',
'title': 'Ransomware Attack on OnSolve CodeRED Emergency Notification System',
'type': 'Ransomware Attack / Data Breach'}