INC Ransom Gang Disrupts OnSolve CodeRED Emergency Alert Platform

First reported

25.11.2025 23:48

Last updated

26.11.2025 18:15

2 unique sources, 2 articles

Summary

Hide ▲

The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The incident highlights the critical impact of cyberattacks on emergency services and the importance of robust cybersecurity measures. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies.

Timeline

25.11.2025 23:48 2 articles · 1d ago

INC Ransom Gang Disrupts OnSolve CodeRED Emergency Alert Platform
The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies.
Show sources

OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48

Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
Open in new tab

Information Snippets

The INC Ransom gang has taken responsibility for the cyberattack on the OnSolve CodeRED platform.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
The attack led to the decommissioning of the legacy CodeRED environment, causing widespread disruption.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
Data stolen includes names, addresses, email addresses, phone numbers, and passwords used for CodeRED user profiles.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
The attack was contained to the CodeRED environment and did not affect other Crisis24 systems.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
The INC Ransom gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
The gang is selling the stolen data after allegedly failing to receive a ransom payment.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
The passwords shared by the gang are in clear text, advising users to reset any reused passwords.
First reported: 25.11.2025 23:48

2 sources, 2 articles
Show sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide — www.bleepingcomputer.com — 25.11.2025 23:48
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
The INC Ransom group published screenshots that appear to show customer data, including clear-text passwords.
First reported: 26.11.2025 18:15

1 source, 1 article
Show sources
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
Cities emphasized that their internal systems were not affected, but urged residents to change passwords if they reused them elsewhere.
First reported: 26.11.2025 18:15

1 source, 1 article
Show sources
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
Staff in multiple municipalities are reportedly working with Crisis24 to migrate to the new platform, which underwent a full security audit and external penetration testing.
First reported: 26.11.2025 18:15

1 source, 1 article
Show sources
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15
The legacy platform is now permanently decommissioned, and Crisis24 is rebuilding CodeRED from the ground up.
First reported: 26.11.2025 18:15

1 source, 1 article
Show sources
- Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System — www.infosecurity-magazine.com — 26.11.2025 18:15

Similar Happenings

Merkle Breach Exposes Employee and Client Data

Merkle, a US-based subsidiary of Dentsu, experienced a cyberattack resulting in the theft of sensitive employee and client data. The breach was detected through unusual network activity, prompting an incident response and investigation. The stolen data includes bank details, payroll information, and personal contact details. Merkle has notified affected individuals and law enforcement, and is offering credit monitoring and Dark Web monitoring to impacted employees. The nature of the attack remains unknown, but it may involve data extortion or ransomware. The incident highlights the ongoing threat of data theft and the importance of robust incident response protocols.

Open in new tab

Lumma Stealer Activity Declines Following Doxxing of Core Members

Lumma Stealer, a prominent information stealer, has seen a significant drop in activity over the past couple of months. This decline follows the doxxing of five alleged core group members, which exposed personal and operational details. The doxxing campaign, believed to be driven by competitors, has led to a sharp decrease in command-and-control (C&C) infrastructure activity and disrupted the group's communications. The doxxing included sensitive information such as passport numbers, bank account details, and social media profiles. The group's Telegram account was compromised on September 17, 2025, preventing effective communication with customers. As a result, cybercriminals have started seeking alternative information stealers like Vidar and StealC. The disruption has also impacted the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution. The doxxing campaign's consistency and depth suggest insider knowledge or access to compromised accounts and databases.

Open in new tab

Ransomware Attacks Continue to Evade Defenses Despite Security Efforts

Ransomware remains a top threat to global organizations, with attackers bypassing defenses despite extensive prevention and detection efforts. Double extortion tactics are prevalent, and some groups focus solely on data theft and extortion. The Picus Security Blue Report 2025 reveals a decline in prevention effectiveness, particularly in data exfiltration, highlighting critical gaps in defenses. Security teams must continuously validate their defenses against both known and emerging ransomware strains to ensure readiness. Breach and Attack Simulation (BAS) provides real-time validation of defenses, showing where protections stand or fail. The report underscores the need for ongoing testing and validation to address persistent gaps in malware delivery, detection, data exfiltration, and endpoint protection.

Open in new tab

Pennsylvania Attorney General's Office Hit by INC Ransom Ransomware Attack with Data Breach

The Pennsylvania Attorney General's Office has confirmed a ransomware attack that began on August 11, 2025, lasting three weeks. The attack resulted in a service outage affecting the AG's website, email, and phone systems. The AG office refused to pay the ransom and is currently investigating the incident with other agencies. The impact includes disruptions to court proceedings, though the AG office assures that criminal prosecutions and investigations will not be affected. The extent of data exfiltration, if any, remains unknown. The AG's office has confirmed the use of file-encrypting ransomware and that the attack was carried out by an outsider attempting to extort payment. The AG office has not disclosed any details about the ransomware group responsible. Partial recovery of email and phone services has been achieved, with staff operating through alternate methods. The ransomware gang INC Ransom has claimed responsibility for the attack, alleging the theft of 5.7TB of files and access to an FBI internal network.

Open in new tab

DaVita ransomware attack exposes data of nearly 2.7 million individuals

DaVita, a kidney dialysis firm, confirmed that a ransomware attack compromised the personal and health information of nearly 2.7 million people. The breach occurred between March 24 and April 12, 2025, affecting data from DaVita's dialysis labs database. The Interlock ransomware gang claimed responsibility and leaked approximately 1.5 terabytes of data. The stolen data included names, addresses, dates of birth, social security numbers, health insurance details, treatment information, and dialysis lab test results. In some cases, tax identification numbers and images of personal checks were also compromised. The impact includes potential identity theft and financial fraud for affected individuals.

Open in new tab