Risk and crisis management provider Crisis24 recently confirmed that its 𝗢𝗻𝗦𝗼𝗹𝘃𝗲 𝗖𝗼𝗱𝗲𝗥𝗘𝗗 platform suffered a cyberattack that disrupted emergency notification services for cities, counties, police departments, and fire agencies across the United States. The affected platform underpins community alerts for severe weather, hazardous material incidents, missing persons, and other urgent public safety events.
Because many jurisdictions rely on CodeRED as a primary outbound channel to residents, even a partial outage immediately reduces their ability to push time-sensitive instructions at scale. In practice, that disruption forces agencies to fall back on slower or less targeted methods while the vendor rebuilds the service.
𝗪𝗵𝗮𝘁 𝗖𝗿𝗶𝘀𝗶𝘀𝟮𝟰 𝗵𝗮𝘀 𝗰𝗼𝗻𝗳𝗶𝗿𝗺𝗲𝗱 𝘀𝗼 𝗳𝗮𝗿
According to notifications and FAQ material shared with customers, Crisis24 currently treats the incident as 𝗰𝗼𝗻𝘁𝗮𝗶𝗻𝗲𝗱 𝘁𝗼 𝘁𝗵𝗲 𝗹𝗲𝗴𝗮𝗰𝘆 𝗖𝗼𝗱𝗲𝗥𝗘𝗗 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁. The company states that other internal systems did not show signs of compromise during its investigation.
However, the attacker 𝗱𝗶𝗱 𝘀𝘁𝗲𝗮𝗹 𝗱𝗮𝘁𝗮 from the CodeRED platform. Impacted records include:
– Names
– Physical addresses
– Email addresses
– Phone numbers
– Passwords associated with CodeRED user profiles
One advisory from a Texas municipality notes that investigators have not yet seen evidence of that data being posted publicly, while still acknowledging indications that the attacker exfiltrated information from the system.
Because the attack damaged the legacy CodeRED environment, Crisis24 moved to 𝗿𝗲𝗯𝘂𝗶𝗹𝗱 𝘀𝗲𝗿𝘃𝗶𝗰𝗲 𝗼𝗳𝗳 𝗯𝗮𝗰𝗸𝘂𝗽𝘀. The company is restoring data into a newly launched “CodeRED by Crisis24” platform. The most recent viable backup snapshot dates back to March 31, 2025, which means some more recent accounts and configuration changes do not yet exist in the rebuilt system. Agencies now need to reconcile missing entries, re-onboard users, and validate contact paths while they bring their alert capabilities back online.
𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗿𝗲𝘂𝘀𝗲 𝗻𝗼𝘄 𝘀𝗶𝘁𝘀 𝗮𝘁 𝘁𝗵𝗲 𝗰𝗲𝗻𝘁𝗲𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗿𝗶𝘀𝗸
The stolen CodeRED data set becomes significantly more dangerous when users reused those credentials on other services. Because the attacker appears to hold some passwords in 𝗰𝗹𝗲𝗮𝗿 𝘁𝗲𝘅𝘁, follow-on credential-stuffing attacks against unrelated systems now sit firmly on the table.
For agencies and individual users, that reality turns a “vendor breach” into a personal account hygiene problem. Security teams now need to:
– 𝗙𝗼𝗿𝗰𝗲 CodeRED password resets for all accounts.
– 𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝘆 any reuse of those passwords across internal apps, VPNs, or third-party SaaS.
– 𝗔𝗰𝗰𝗲𝗹𝗲𝗿𝗮𝘁𝗲 rollout of multi-factor authentication wherever possible.
𝗜𝗡𝗖 𝗥𝗮𝗻𝘀𝗼𝗺 𝗰𝗹𝗮𝗶𝗺𝘀 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗵𝗶𝘁
While the victim organization initially attributed the incident only to an “organized cybercriminal group,” the 𝗜𝗡𝗖 𝗥𝗮𝗻𝘀𝗼𝗺 operation has now taken credit for the attack. The group published an entry for the emergency alert provider on its Tor-based leak site and posted screenshots that appear to show customer information, including email addresses and associated clear-text passwords.
In its note, the gang claims it breached systems on 𝗡𝗼𝘃𝗲𝗺𝗯𝗲𝗿 𝟭, 𝟮𝟬𝟮𝟱, then proceeded to encrypt files on November 10. After the victim allegedly refused to pay, INC now states that it has begun 𝗼𝗳𝗳𝗲𝗿𝗶𝗻𝗴 𝘁𝗵𝗲 𝘀𝘁𝗼𝗹𝗲𝗻 𝗱𝗮𝘁𝗮 𝗳𝗼𝗿 𝘀𝗮𝗹𝗲 to other criminals.
Because the screenshots include visible credentials in plain text, crisis communication and IT teams should treat those as 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 even if no public leak has surfaced yet. That posture aligns with how defenders already handle leaks from other ransomware groups and infostealer operations.
𝗪𝗵𝗼 𝘀𝗶𝘁𝘀 𝗯𝗲𝗵𝗶𝗻𝗱 𝗜𝗡𝗖 𝗥𝗮𝗻𝘀𝗼𝗺?
INC Ransom operates as a 𝗿𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲-𝗮𝘀-𝗮-𝘀𝗲𝗿𝘃𝗶𝗰𝗲 (RaaS) program that first appeared in mid-2023. Threat intelligence research describes an ecosystem where core operators provide the locker, infrastructure, and leak platform, while affiliated crews handle intrusion work and victim negotiations.
Public tracking links the group to a broad mix of victims across government, education, healthcare, manufacturing, and retail. Named organizations in previous incidents include Yamaha Motor’s Philippine subsidiary, Scotland’s National Health Service, global food retailer Ahold Delhaize, and the U.S. division of Xerox Business Solutions, among many others.
This new hit on a nationwide emergency alert provider fits a worrying pattern: 𝗿𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲 𝗴𝗿𝗼𝘂𝗽𝘀 increasingly pivot from purely commercial targets into services that underpin public safety and government operations. That trend raises the stakes for resilience planning, because each successful compromise now risks real-world harm rather than “just” financial loss.
𝗥𝗶𝘀𝗸 𝗽𝗼𝗿𝘁𝗿𝗮𝗶𝘁: 𝘄𝗵𝗮𝘁 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝘁𝗶𝗲𝘀 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗳𝗲𝗲𝗹
As local agencies lose access to an alerting platform like CodeRED, they lose one of their fastest tools for mass notification. That impact shows up in several concrete ways:
Residents may stop receiving automated calls, text messages, or push alerts about tornado warnings, evacuation orders, boil-water advisories, or shelter-in-place instructions. Public safety agencies may need to lean harder on social media, local media partners, or door-to-door outreach, which often introduces delay and coverage gaps. Smaller jurisdictions that rely on a single notification vendor may have almost no redundancy, particularly if staff resources remain limited.
From an adversary’s perspective, that leverage provides more pressure during ransom negotiations. Even if the attacker ultimately prioritizes data theft and extortion, the ability to shut down or degrade critical communication channels sits quietly in the background throughout the incident.
𝗛𝗼𝘄 𝗮𝗴𝗲𝗻𝗰𝗶𝗲𝘀 𝗮𝗻𝗱 𝘃𝗲𝗻𝗱𝗼𝗿𝘀 𝘀𝗵𝗼𝘂𝗹𝗱 𝗿𝗲𝘀𝗽𝗼𝗻𝗱
Because this incident touches both public-sector emergency management and a commercial SaaS provider, defenders across several domains need to adjust.
For emergency management and IT teams inside cities and counties, the immediate focus should stay on:
– 𝗖𝗼𝗻𝗳𝗶𝗿𝗺𝗶𝗻𝗴 who relies on CodeRED, which groups lost access, and what interim alert channels now exist.
– 𝗘𝗻𝗳𝗼𝗿𝗰𝗶𝗻𝗴 password resets for staff and residents who used the platform, with targeted communication about reuse risk.
– 𝗥𝗲𝘃𝗶𝗲𝘄𝗶𝗻𝗴 vendor access paths into internal networks to ensure the incident did not open an unmonitored backdoor.
For SaaS and managed-service providers that support critical communications, this case should drive fresh reviews of:
– Backup strategies and how far back the last good snapshot might force a rollback.
– Segmentation between legacy and next-generation environments.
– Incident communication routines and how quickly customers receive clear, technically accurate status updates during active response.
Threat intelligence around INC Ransom also suggests that organizations should sit down with their crisis teams and talk through a scenario where this specific group targets them. Even a basic tabletop exercise based on attack patterns and leak-site behavior can shorten reaction time if the name appears in your logs or your inbox.
𝗙𝗔𝗤𝘀
𝗤: 𝗜𝗳 𝗺𝘆 𝗮𝗴𝗲𝗻𝗰𝘆 𝘂𝘀𝗲𝘀 𝗖𝗼𝗱𝗲𝗥𝗘𝗗, 𝘄𝗵𝗮𝘁 𝗶𝘀 𝘁𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝘁𝗵𝗶𝗻𝗴 𝘁𝗼 𝗱𝗼?
You should first validate the current operational status of your CodeRED environment, then coordinate with Crisis24’s support channel for the latest recovery and migration guidance. In parallel, start a forced password reset campaign and instruct users not to reuse any legacy CodeRED passwords on other sites or applications.
𝗤: 𝗗𝗼𝗲𝘀 𝘁𝗵𝗶𝘀 𝗺𝗲𝗮𝗻 𝗲𝗺𝗲𝗿𝗴𝗲𝗻𝗰𝘆 𝗮𝗹𝗲𝗿𝘁𝘀 𝘀𝘁𝗼𝗽𝗽𝗲𝗱 𝗲𝗻𝘁𝗶𝗿𝗲𝗹𝘆?
In many jurisdictions, agencies maintain multiple ways to reach residents, including siren systems, local media coordination, social platforms, and other alert vendors. The CodeRED disruption still reduces resilience and reach, yet it rarely represents the only path. Agencies should now reassess those redundancies and identify gaps exposed by this outage.
𝗤: 𝗪𝗵𝘆 𝗱𝗼𝗲𝘀 𝗮 𝗿𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲 𝗴𝗿𝗼𝘂𝗽 𝗮𝗶𝗺 𝗮𝘁 𝗮𝗻 𝗲𝗺𝗲𝗿𝗴𝗲𝗻𝗰𝘆 𝗮𝗹𝗲𝗿𝘁 𝘀𝘆𝘀𝘁𝗲𝗺?
Ransomware actors usually pursue leverage. A platform that underpins emergency alerts carries both sensitive data and high operational impact. That combination increases perceived pressure on the victim during extortion, even if the attacker primarily cares about monetizing stolen information or selling access.
