INC Ransom Breach of OnSolve CodeRED Disrupts US Alerts

The OnSolve CodeRED emergency notification platform suffered a cyberattack attributed to the INC Ransom gang, disrupting alerting capabilities for state and local governments, police, and fire agencies across the United States. The attack forced Crisis24, which operates CodeRED, to decommission its legacy environment and rebuild the service from backups, mapping to MITRE ATT&CK T1486 (Data Encrypted for Impact) and T1041 (Exfiltration Over C2 Channel). Stolen data includes names, addresses, email addresses, phone numbers, and passwords from CodeRED user profiles, although there is currently no evidence of public data release. INC Ransom claims to have breached OnSolve on November 1, 2025 and encrypted files on November 10 after exfiltrating sensitive information. When ransom demands were not met, the group allegedly began selling CodeRED data via its Tor leak site, posting screenshots that appear to show clear-text passwords associated with customer accounts. Because CodeRED underpins emergency alerts, weather warnings, and other critical communications, the outage created systemic risk for municipalities that rely on the platform to reach residents during crises. From a business and public safety standpoint, the incident underscores how ransomware against communication providers can cascade into operational impact for hundreds of downstream agencies. Municipalities and public safety organizations faced degraded ability to send alerts, potential compromise of staff credentials reused elsewhere, and reputational concerns over the handling of sensitive citizen contact data. While Crisis24 reports the attack was contained to CodeRED and other systems were not affected, reliance on a backup from March 31, 2025 means some accounts may be missing or stale, complicating recovery and validation. Mitigation for affected customers includes forced password resets, review of any reused credentials in other systems, and verification of emergency contact lists after migration to the rebuilt platform. Strategically, the event should push public-sector entities to assess resilience of critical communication services, implement redundancy (e.g., secondary alert providers), and bake ransomware and supplier failure scenarios into continuity planning. Security leaders should also reassess contractual language with SaaS providers, ensuring robust incident reporting, segmentation, and encryption of sensitive user data at rest and in transit.