OnSolve CodeRED Cyberattack Disrupts Emergency Alert Systems Nationwide

🎙️ Dive Deeper with Our Podcast!

Emergency notification systems that millions of Americans depend on for critical alerts have been knocked offline following a sophisticated cyberattack against the OnSolve CodeRED platform. The breach has affected state and local governments, police departments, and fire agencies across the United States, raising serious concerns about the vulnerability of public safety infrastructure.

Crisis24, the risk management company operating the platform, confirmed that organized cybercriminals successfully penetrated their systems, forcing them to completely decommission their legacy environment. The incident highlights the growing threat ransomware groups pose to essential services that communities rely on during emergencies, natural disasters, and public safety events.

Understanding the OnSolve CodeRED Breach

The CodeRED platform serves as a backbone for emergency communications across numerous jurisdictions. When agencies need to alert residents about severe weather, evacuation orders, or public safety threats, they turn to this system to reach thousands or even millions of people simultaneously through multiple channels including text messages, phone calls, and emails.

Crisis24’s investigation revealed the attack remained isolated within the CodeRED environment without spreading to their other operational systems. However, threat actors successfully exfiltrated sensitive information before Crisis24 could contain the breach. The stolen data includes resident names, physical addresses, email addresses, phone numbers, and critically, passwords associated with CodeRED user profiles.

The disclosure of clear-text passwords has serious security ramifications, even if Crisis24 claims they haven’t discovered any proof the stolen data has surfaced on open forums or dark web marketplaces. Users who recycled these credentials across multiple accounts face elevated risks of credential stuffing attacks and unauthorized access to other services.

The INC Ransom Gang Connection

Security researchers have identified the INC Ransom gang as the perpetrators behind this attack. This ransomware-as-a-service operation, which emerged in July 2023, has built a reputation for targeting critical infrastructure and essential services across various sectors.

The threat actors established a timeline that demonstrates their methodical approach. They initially breached OnSolve’s systems on November 1, 2025, maintaining persistent access for over a week before deploying ransomware payloads on November 10. This extended dwell time allowed them to thoroughly map the network, identify valuable data repositories, and establish multiple access points before revealing their presence.

Following what they claim was a failed ransom negotiation, the cybercriminals posted evidence of their breach on their dark web leak site. Screenshots published by the group show customer databases containing email addresses paired with passwords stored in plain text rather than encrypted format. This security weakness compounds the breach’s severity, as proper password hashing would have protected user credentials even after data theft.

INC Ransom’s victim portfolio demonstrates their indiscriminate targeting strategy. Previous attacks have impacted educational institutions, healthcare providers, government entities, and private corporations including Yamaha Motor Philippines, Scotland’s National Health Service, multinational food retailer Ahold Delhaize, and Xerox Business Solutions’ United States division. The diversity of their targets suggests a primarily financially motivated operation willing to compromise critical infrastructure for profit.

Operational Impact on Emergency Services

The attack’s consequences extend far beyond data theft. Crisis24 made the decision to completely rebuild their platform rather than attempt restoration of the compromised environment. They’re reconstructing the service using backup data, but the most recent available backup dates from March 31, 2025.

This eight-month gap means numerous user accounts created or updated after that date no longer exist in the restored system. Counties, cities, and public safety agencies nationwide must now undertake the time-consuming process of rebuilding their subscriber lists and reconfiguring their emergency notification protocols.

During this restoration period, affected jurisdictions have lost their primary method for rapidly communicating with residents during emergencies. Many agencies are scrambling to implement temporary alternatives, including increased social media monitoring, traditional media partnerships, and manual notification processes that lack the reach and speed of automated systems.

The disruption arrives during a period when many regions face seasonal emergency risks including winter storms, wildfires in drought-affected areas, and the ongoing need for public health communications. The timing underscores the real-world consequences when threat actors target systems that protect public safety rather than pursuing purely commercial targets.

Ransomware-as-a-Service Business Model

INC Ransom operates under a ransomware-as-a-service model that represents the evolution of cybercrime into a sophisticated business ecosystem. The disclosure of clear-text passwords has serious security ramifications, even if Crisis24 claims they haven’t discovered any proof the stolen data has surfaced on open forums or dark web marketplaces.

Affiliate attackers partner with the RaaS operators, gaining access to these tools and infrastructure in exchange for sharing ransom payments. This model allows skilled network infiltrators who lack malware development expertise to conduct complex attacks. It also enables rapid scaling, as the core group can support numerous simultaneous attacks through their affiliate network.

The RaaS model has dramatically lowered the barrier to entry for ransomware operations. Threat actors no longer need advanced programming skills to launch devastating attacks. They simply need the ability to compromise networks through phishing, exploiting vulnerabilities, or purchasing stolen credentials from initial access brokers.

This business structure also complicates law enforcement efforts. When authorities disrupt one affiliate group, the core RaaS operators continue functioning with other partners. The distribution of activities across multiple actors in different jurisdictions creates attribution challenges and legal complications for prosecution efforts.

Critical Security Lessons from the Attack

The OnSolve breach reveals several security deficiencies that organizations across all sectors should examine within their own environments. The storage of passwords in clear text represents a fundamental security failure that violates established best practices developed over decades.

Modern security standards require passwords undergo cryptographic hashing with salt values before storage. This process creates one-way transformations that prevent password recovery even when attackers access databases. The presence of recoverable passwords suggests either legacy systems operating without modern protections or security architecture decisions that prioritized convenience over protection.

The extended period between initial compromise and ransomware deployment highlights the importance of continuous security monitoring. Organizations that implement robust detection capabilities can identify unusual access patterns, lateral movement, and data staging activities that occur during the reconnaissance phase that precedes encryption attacks.

The complete environmental decommissioning Crisis24 chose reflects the difficulty of fully remediating sophisticated attacks. When threat actors establish deep persistence within networks, they often plant multiple backdoors and maintain alternative access methods. Rebuilding from known-good backups in isolated environments provides greater assurance that attackers have been completely removed.

Password Security and User Responsibilities

Users affected by this breach face immediate security obligations regardless of whether they receive direct notification. Anyone who registered for CodeRED emergency alerts should assume their credentials were compromised and take protective action.

The first priority involves changing CodeRED passwords once access to the rebuilt platform becomes available. However, the greater concern addresses password reuse across multiple services. Individuals who used identical or similar passwords for email accounts, banking services, social media platforms, or other online services must update those credentials immediately.

Threat actors exploit stolen credentials through automated credential stuffing attacks that test username and password combinations across thousands of websites. Successful authentication attempts provide access to accounts where users recycled compromised credentials, often without triggering security alerts since the login credentials themselves are valid.

This incident reinforces the critical importance of unique passwords for every account. Password managers provide practical solutions for generating and storing complex, unique credentials without requiring users to memorize dozens of different passwords. These tools have matured into reliable security solutions that dramatically reduce credential reuse risks.

Two-factor authentication adds another defensive layer by requiring additional verification beyond passwords. Even when attackers possess valid credentials, they cannot access accounts protected by authentication apps, hardware tokens, or biometric verification. Organizations and users should implement multi-factor authentication wherever available, particularly for accounts containing sensitive information or financial access.

Broader Implications for Critical Infrastructure

The targeting of emergency notification systems carries implications beyond immediate operational disruptions. These attacks demonstrate that threat actors increasingly view public safety infrastructure as viable targets despite the potential for real-world harm to civilian populations.

Traditional cybercriminal ethics, such as they existed, generally discouraged attacks on hospitals, emergency services, and critical infrastructure supporting public safety. However, modern ransomware operations appear motivated purely by financial gain without regard for collateral consequences. This shift increases risks to systems supporting emergency medical services, utility operations, transportation networks, and communication infrastructure.

Governmental organizations and private businesses that run vital infrastructure must acknowledge that they are up against tenacious opponents with advanced skills. Security strategies developed for protecting commercial data require enhancement when systems support life safety functions or emergency response capabilities.

Regulatory frameworks governing critical infrastructure security continue evolving in response to escalating threats. Organizations in these sectors should anticipate increased scrutiny, mandatory security standards, and potential liability for breaches resulting from inadequate protection measures.

The incident also raises questions about the concentration of emergency services on single platforms. While centralized systems offer efficiency benefits, they create single points of failure that affect numerous jurisdictions simultaneously. It may be necessary for agencies to assess dispersed architectures, redundant platforms, or backup notification methods that reduce the blast radius of successful assaults.

Incident Response and Recovery Strategies

Crisis24’s decision to completely rebuild their platform rather than attempt incremental remediation reflects incident response best practices for sophisticated breaches. When attackers achieve deep network penetration, organizations face difficult choices about whether compromised systems can be adequately cleaned or require complete reconstruction.

The backup restoration approach provides confidence that threat actors no longer maintain access. However, the eight-month gap between the available backup and the current date illustrates the importance of backup strategies that balance recovery point objectives with storage costs and operational overhead.

Organizations should maintain multiple generations of backups stored in immutable formats that prevent modification or deletion even if attackers compromise production networks. Cloud storage with object locking, tape systems with air gaps, and write-once-read-many storage technologies provide protection against ransomware that attempts to destroy backups before encrypting production data.

Organizations can successfully recover when necessary if backup restoration techniques are routinely tested. Many companies discover during actual incidents that their backups are incomplete, corrupted, or lack sufficient documentation for successful restoration. Quarterly or monthly recovery tests identify these issues before they become critical problems during real emergencies.

Communication strategies during breaches require careful balance between transparency and operational security. Crisis24 provided updates to affected customers while avoiding disclosure of technical details that could assist other threat actors. Organizations developing breach communication plans should prepare templates, identify stakeholders requiring notification, and establish approval processes that allow rapid response without compromising ongoing investigations.

Preventing Similar Attacks

Organizations seeking to protect themselves from attacks similar to the CodeRED breach should implement comprehensive security programs addressing multiple attack vectors. The sophistication demonstrated by INC Ransom suggests they exploited either unpatched vulnerabilities, compromised credentials, or social engineering tactics to achieve initial access.

Vulnerability management programs that rapidly identify and remediate security flaws reduce the attack surface available to threat actors. Automated scanning tools can detect known vulnerabilities, but organizations must also implement processes ensuring patches deploy quickly after vendors release updates. Critical systems should receive priority treatment with accelerated patching timelines.

Endpoint detection and response solutions provide visibility into activities occurring on workstations and servers throughout the network. These tools can identify suspicious behavior patterns associated with reconnaissance, lateral movement, and data exfiltration that occur during the period between initial compromise and ransomware deployment.

Network segmentation limits the spread of attacks by dividing infrastructure into isolated zones with controlled communication pathways. When attackers breach one segment, properly configured boundaries prevent them from automatically accessing additional systems. Critical infrastructure should operate in highly restricted network zones with minimal connectivity to general corporate networks.

Security awareness training helps employees identify phishing attempts, social engineering tactics, and suspicious communications that often provide attackers their initial foothold. Regular training sessions combined with simulated phishing exercises build organizational resilience against human-targeted attack vectors.

The Future of Emergency Notification Security

The CodeRED attack will likely prompt increased scrutiny of security practices across the emergency notification industry. Government agencies purchasing these services may begin requiring security certifications, regular audits, and contractual guarantees regarding data protection and system availability.

Industry standards for emergency notification platforms should evolve to address the unique requirements of systems supporting public safety functions. Certain encryption requirements, backup protocols, access controls, and incident response capabilities that go beyond those of conventional commercial software may be required under these standards.

Insurance markets for cyber risk continue developing products specifically designed for critical infrastructure operators. Organizations in this space may find coverage requirements drive security investments as insurers refuse coverage or charge prohibitive premiums for companies lacking adequate protections.

The incident may accelerate adoption of distributed emergency notification architectures that prevent single points of failure. Rather than depending entirely on cloud platforms operated by external vendors, agencies might implement hybrid approaches combining commercial services with locally controlled backup systems.

Threat intelligence sharing between emergency services providers could help the industry collectively defend against attacks. When one organization detects attack patterns or indicators of compromise, rapid sharing allows others to implement defensive measures before threat actors target their systems.

Frequently Asked Questions

How do I know if my information was affected by the CodeRED breach?

If you registered for CodeRED emergency alerts from any government agency, police department, or fire service, your information was potentially compromised. Contact your local emergency management office to confirm whether they used the affected platform. Assume your data was exposed and take protective measures including changing passwords and monitoring accounts for suspicious activity.

What should I do about passwords I used for CodeRED?

Change your CodeRED password immediately once the rebuilt platform becomes available. More importantly, if you used the same or similar passwords for other accounts, update those credentials without delay. Threat actors exploit stolen passwords across multiple services, so reused credentials create significant security risks beyond the initially compromised account.

Can emergency services still reach me during this outage?

Affected agencies are implementing alternative notification methods including increased social media communications, traditional media partnerships, and in some cases, manual notification processes. However, these alternatives lack the speed and reach of automated systems. Stay informed by following your local emergency management agencies on social media, enabling wireless emergency alerts on your phone, and monitoring local news during potential emergency situations.

How long will it take to restore CodeRED services?

Restoration timelines vary by jurisdiction depending on the complexity of their configurations and the amount of data requiring reconstruction. Crisis24 is working to rebuild the platform using backups from March 31, 2025, but agencies must manually recreate any subscriber information added after that date. Full restoration across all affected jurisdictions may take weeks or months.

What is ransomware-as-a-service and why does it matter?

Ransomware-as-a-service operates as a business model where malware developers partner with affiliate attackers who conduct actual breaches. This arrangement allows rapid scaling of attacks and lowers barriers to entry for cybercriminals. The concept is important because it significantly expands the number of threat actors who can carry out complex assaults against businesses of all sizes.

Should I be concerned about identity theft following this breach?

The stolen data including names, addresses, email addresses, and phone numbers could enable identity theft attempts, phishing attacks, or social engineering schemes. Monitor financial accounts for unauthorized transactions, consider placing fraud alerts with credit bureaus, and maintain heightened skepticism toward unexpected communications requesting personal information or account access.

Why were passwords stored in plain text instead of encrypted?

Storing passwords in clear text violates fundamental security principles established decades ago. The practice suggests either legacy system limitations or architectural decisions that prioritized functionality over security. Modern systems should hash passwords using cryptographic algorithms that prevent recovery even when attackers access databases. Organizations discovering they store passwords in recoverable formats should immediately prioritize security upgrades.

How can organizations prevent similar attacks?

Comprehensive security programs combining multiple defensive layers provide the best protection. Essential elements include regular vulnerability patching, endpoint detection solutions, network segmentation, employee security training, multi-factor authentication, continuous monitoring, and tested backup restoration procedures. No single measure provides complete protection, but layered defenses significantly increase the difficulty and cost for attackers.

How Technijian Can Help

Emergency notification systems represent just one example of critical infrastructure vulnerable to sophisticated cyberattacks. Organizations across Orange County and Southern California face similar threats regardless of their industry or size. Technijian brings over two decades of managed IT services experience protecting businesses from evolving cyber threats while maintaining operational continuity.

Our comprehensive cybersecurity services address the multiple attack vectors that threat actors exploit during sophisticated breaches. We implement advanced endpoint detection and response solutions that identify suspicious activities before they escalate into full-scale ransomware attacks. Our security experts continuously monitor your infrastructure, providing 24/7 visibility into potential threats and rapid response capabilities when incidents occur.

Vulnerability management represents another critical component of effective defense strategies. Technijian maintains proactive patch management programs ensuring your systems receive security updates promptly after vendors release them. We reduce the window of opportunity for attackers looking to take advantage of known vulnerabilities by giving priority to severe vulnerabilities affecting internet-facing systems and critical infrastructure.

Our backup and disaster recovery solutions protect against data loss whether caused by cyberattacks, hardware failures, or natural disasters. We design backup architectures with immutable storage that prevents ransomware from destroying your recovery options. Regular restoration testing confirms your backups will function when needed, avoiding the unpleasant surprises many organizations discover during actual emergencies.

Security awareness training helps your employees recognize phishing attempts, social engineering tactics, and suspicious communications that often provide attackers their initial access. Technijian develops customized training programs addressing the specific threats your organization faces, reinforcing lessons through simulated phishing exercises that build defensive skills without risking actual breaches.

Network architecture reviews identify security weaknesses in your current infrastructure and provide roadmaps for implementing proper segmentation, access controls, and monitoring capabilities. We help organizations move beyond basic perimeter security toward defense-in-depth strategies that contain breaches and limit damage when attackers penetrate initial defenses.

Our incident response planning services prepare your organization for potential security events before they occur. We develop documented procedures, identify response team members, establish communication protocols, and conduct tabletop exercises that test your readiness. When incidents do occur, having practiced procedures dramatically reduces response times and minimizes operational disruptions.

Technijian serves diverse industries including healthcare, finance, legal, retail, and professional services throughout Irvine, Orange County, and Southern California. Our team understands the unique compliance requirements, operational constraints, and security challenges facing organizations in different sectors. We customize our services to address your specific needs rather than implementing one-size-fits-all approaches.

Don’t wait for a cyberattack to expose vulnerabilities in your security posture. Contact Technijian today to schedule a comprehensive security assessment. Our experts will evaluate your current protections, identify gaps that create risks, and develop prioritized recommendations for strengthening your defenses against ransomware, data breaches, and other cyber threats. Protect your organization with the same expertise that has secured Orange County businesses for over 25 years.

About Technijian

Technijian is a premier Managed IT Services provider in Irvine, specializing in delivering secure, scalable, and innovative AI and technology solutions across Orange County and Southern California. Founded in 2000 by Ravi Jain, what started as a one-man IT shop has evolved into a trusted technology partner with teams of engineers, AI specialists, and cybersecurity professionals both in the U.S. and internationally.

Headquartered in Irvine, we provide comprehensive cybersecurity solutions, IT support, AI implementation services, and cloud services throughout Orange County—from Aliso Viejo, Anaheim, Costa Mesa, and Fountain Valley to Newport Beach, Santa Ana, Tustin, and beyond. Our extensive experience with enterprise security deployments, combined with our deep understanding of local business needs, makes us the ideal partner for organizations seeking to implement security solutions that provide real protection.

We work closely with clients across diverse industries, including healthcare, finance, law, retail, and professional services, to design security strategies that reduce risk, enhance productivity, and maintain the highest protection standards. Our Irvine-based office remains our primary hub, delivering the personalized service and responsive support that businesses across Orange County have relied on for over two decades.

With expertise spanning cybersecurity, managed IT services, AI implementation, consulting, and cloud solutions, Technijian has become the go-to partner for small to medium businesses seeking reliable technology infrastructure and comprehensive security capabilities. Whether you need Cisco Umbrella deployment in Irvine, DNS security implementation in Santa Ana, or phishing prevention consulting in Anaheim, we deliver technology solutions that align with your business goals and security requirements.

Partner with Technijian and experience the difference of a local IT company that combines global security expertise with community-driven service. Our mission is to help businesses across Irvine, Orange County, and Southern California harness the power of advanced cybersecurity to stay protected, efficient, and competitive in today’s threat-filled digital world.