Nationwide CodeRED Emergency Alert System Compromised: INC Ransom Attack Leaves Thousands Without Critical Communication

Executive Summary

A sophisticated cyberattack has crippled the OnSolve CodeRED emergency notification platform, impacting hundreds of municipalities across the United States and potentially exposing personal information of millions of residents. The incident, which began in early November 2025, has forced OnSolve to permanently decommission its legacy CodeRED infrastructure and migrate customers to a new platform operated by Crisis24.

City of Attleboro Under Cyber Siege: Latest in Wave of Municipal Ransomware Attacks

November 20, 2025 - The City of Attleboro, Massachusetts became the latest American municipality to fall victim to a sophisticated cyberattack, joining a growing list of cities and towns struggling against an unprecedented surge in ransomware operations targeting local governments. Smart City Cybersecurity Assessment | CyberSafe.CityComprehensive security assessment for smart

Breached CompanyBreached Company

The INC Ransom cybercriminal group has claimed responsibility for the attack, marking one of the most significant compromises of critical public safety infrastructure in recent years. This incident adds to the growing list of cyber threats facing America's emergency services infrastructure, where nearly 90% of emergency communication centers have experienced outages in the past year.

The Attack Timeline

November 10, 2025: The CodeRED system failure was first detected when the Great Falls Police Department in Cascade County, Montana discovered they could not access the platform during preparations for a scheduled county-wide emergency alert test.

November 11, 2025: OnSolve publicly acknowledged detecting "potential security vulnerabilities" in the platform and suspended system access for a comprehensive security review.

November 13, 2025: Los Alamos County, New Mexico received notification from OnSolve at 5:52 PM about the detection of potential vulnerabilities. The company had already suspended platform access by this point.

Mid-to-Late November 2025: OnSolve made the decision to permanently decommission the entire OnSolve CodeRED platform due to damage within the environment. The company announced an accelerated transition to a new "CodeRED by Crisis24" solution.

November 21-23, 2025: Municipalities across Illinois, Missouri, Texas, Montana, New Mexico, and other states issued warnings to residents about potential data exposure, including Jackson County, Illinois and O'Fallon, Missouri.

Scope and Impact

Geographic Reach

The attack has affected emergency management operations across multiple states, with confirmed impacts in:

• Illinois: Jackson County, Champaign County
• Missouri: O'Fallon, Warren County, St. Louis region
• Montana: Cascade County (which terminated its contract with OnSolve)
• New Mexico: Los Alamos County
• Texas: Fort Worth, Melissa, and numerous other municipalities
• Virginia: Pittsylvania County (confirmed platform decommissioning)
• California: Multiple jurisdictions
• Colorado: Multiple municipalities

According to Pittsylvania County, Virginia officials, the cybersecurity incident was "contained but damaged the OnSolve CodeRED environment" to such an extent that complete platform decommissioning became necessary. The county confirmed that OnSolve has expedited plans to move all customers to the new Crisis24 Solutions system, with the critical caveat that all users may need to re-register for emergency alerts.

Critical Service Disruption

CodeRED is used by over 10,000 counties, cities, and towns nationwide to send emergency alerts including:

• Tornado warnings and severe weather alerts
• Hazardous material spills
• Evacuation orders
• Missing persons alerts (AMBER alerts)
• Road closures and public safety notifications
• Natural disaster updates

During the two-week outage, affected jurisdictions had no ability to use the platform for emergency notifications, forcing them to rely on backup systems including FEMA's Integrated Public Alert and Warning System (IPAWS), social media, local news outlets, and alternative notification platforms. This incident joins the unprecedented wave of major cyberattacks in 2025 that have targeted critical infrastructure across 14 of the 16 U.S. critical infrastructure sectors.

Data Exposure Concerns

According to warning letters distributed by affected municipalities, the compromised data potentially includes:

• Full names
• Home addresses
• Email addresses
• Phone numbers
• Passwords used to create CodeRED alert profiles

Critical Security Advisory

Security researchers and affected jurisdictions are urging CodeRED users to immediately change their passwords, particularly if they reused the same password across multiple accounts. This is a textbook example of why password reuse represents such a significant security risk.

As of this publication, OnSolve has stated there is "no indication that any customer data or personal information has been compromised," but this messaging appears contradictory to the warnings being issued by municipalities like Jackson County, which specifically warned that hackers "were able to remove data."

OnSolve's Official Statement: CodeRED Senior Vice President of Customer Success Ann Pickren stated: "At this stage, we want to emphasize that there is no indication that any customer data or personal information has been compromised. Our teams have been working continuously to verify and strengthen the integrity of the system before restoring access."

However, the decision to permanently decommission the entire platform suggests the damage assessment may have revealed more serious concerns than initially disclosed to customers.

The Threat Actor: INC Ransom

According to reporting from DataBreaches.net, the INC Ransom cybercriminal group has claimed responsibility for the attack. The group provided images as proof of access to OnSolve's systems, though they did not indicate whether they encrypted files or simply exfiltrated data.

INC Ransom Profile

INC Ransom emerged as a ransomware-as-a-service (RaaS) operation in July 2023 and has since become one of the most active ransomware groups targeting critical infrastructure:

Target Industries:

• Healthcare (including Scotland's NHS and McLaren Health Care)
• Education institutions
• Government agencies (Pennsylvania Attorney General's Office)
• Manufacturing firms (Yamaha Motor Philippines)
• Non-profit organizations
• Financial services

Notable Characteristics:

• Operates using a double extortion model (encryption + data theft)
• Previously claimed to avoid healthcare and government targets (a norm that has clearly eroded)
• Has exfiltrated terabytes of data in previous attacks (5.7TB from Pennsylvania AG's Office)
• Maintains TOR-based leak sites for publishing stolen data
• Has undergone internal restructuring and possible leadership changes

Technical Capabilities:

• Exploits known vulnerabilities (CVE-2023-3519 in Citrix NetScaler)
• Uses legitimate tools for lateral movement (NETSCAN, MEGAsync)
• Employs sophisticated evasion techniques
• Targets both Windows and Linux/ESXi environments

The group's willingness to attack critical public safety infrastructure like emergency notification systems represents a significant escalation in ransomware tactics and demonstrates a disregard for the life-safety implications of their attacks.

Jurisdictional Responses

Contract Terminations

Cascade County, Montana took the most aggressive action, formally terminating its three-year contract with OnSolve on November 13, 2025, citing:

• Week-long outage without notification to the county
• Failure to provide updates on system status
• Loss of confidence in the company's reliability
• Inability to provide contracted services

Sheriff Jesse Slaughter stated: "Cascade County has used the CodeRed system for over 10 years without any significant issues. This almost now week-long outage has caused serious loss of confidence in the company's product and reliability."

The county invoked Montana state statute 28-2-1711, MCA, which allows immediate rescission of contracts when one party cannot provide agreed-upon services. This decisive action reflects a broader trend of municipalities taking aggressive stances against vendors following cyber incidents.

Communication Failures

Multiple jurisdictions reported that OnSolve failed to proactively notify them of the security incident. Instead, emergency management officials discovered the outage themselves when attempting to access the system or through customer support inquiries.

This lack of transparent communication during a critical security incident affecting public safety infrastructure raises serious questions about OnSolve's incident response protocols.

Alternative Communication Strategies

Los Alamos County Emergency Manager Beverley Simpson emphasized the importance of redundant communication systems: "Planning ahead for potential outages and emergencies—whether due to natural disasters, cyberattacks, or infrastructure failures—ensures that critical information reaches those who need it most. Having alternative communication methods and clear protocols in place can keep communities safe and response efforts effective when it matters most."

Los Alamos County recommended the following alternative communication tools during the CodeRED outage:

• Official Government Websites: Bookmark and regularly check county/city websites for emergency alerts
• AM 1610 Radio: Traditional radio broadcasting for incident updates
• Social Media: Follow official county/city pages on Facebook, Instagram, and NextDoor
• Local Media: Monitor press releases sent to news outlets
• IPAWS/Wireless Emergency Alerts: Federal system independent of CodeRED

Simpson noted that Los Alamos County deliberately chose not to use CodeRED during a November 11, 2025 communications outage "as a result of previous feedback from the public regarding access to cell phone and email messages during an event of this nature." This decision proved prescient when CodeRED itself became unavailable just two days later.

The FedRAMP Question

Perhaps the most concerning aspect of this incident is OnSolve's security credentials. The company achieved Federal Risk and Authorization Management Program (FedRAMP) authorization in May 2023, certifying that its technology had "successfully gone through a rigorous review and assessment process to meet stringent federally defined standards."

FedRAMP authorization includes C-level security evaluations from the Department of Defense, General Services Administration, and Department of Homeland Security. OnSolve also holds ISO 27001 and 27018 certifications.

Key Questions:

1. How did a FedRAMP-authorized platform suffer such a significant compromise less than three years after certification?
2. Were there unpatched vulnerabilities or configuration weaknesses that enabled the attack?
3. What continuous monitoring and security assessments were being performed?
4. Why was the incident response communication so poor?

This breach should prompt a comprehensive review of FedRAMP's continuous monitoring requirements and incident response protocols, particularly for vendors providing critical public safety services.

Technical Response and Recovery

Platform Decommissioning

OnSolve made the decision to permanently decommission the entire legacy CodeRED platform "out of an abundance of caution." This dramatic step suggests that the damage to the environment was substantial enough that remediation was deemed infeasible or too risky.

Migration to Crisis24

OnSolve is accelerating migration of all customers to a new "CodeRED by Crisis24" platform. Crisis24 appears to be a related or subsidiary entity, though the exact corporate relationship is unclear.

Migration Challenges:

• No firm timeline provided for when the new platform will be fully operational
• Critical: All users may need to re-register for alerts - This means millions of residents who previously signed up for CodeRED notifications could lose coverage unless they take action to re-register
• Data export/import processes are ongoing
• Some jurisdictions report that enrollee data will be migrated, but confirmation timelines are unclear
• System capabilities remain limited as the new platform comes online

Public Safety Risk: The requirement for users to re-register creates a significant gap in emergency notification coverage. Residents who are unaware of this requirement will not receive critical alerts even though they believe they're still enrolled. Municipalities face the challenge of conducting massive public awareness campaigns to ensure residents re-register for the new system.

Pittsylvania County officials stated they "will notify the public as soon as onboarding is completed" and will post updates on county websites and social media platforms. However, the lack of a concrete timeline leaves communities in a state of uncertainty about when full emergency notification capabilities will be restored.

IPAWS Disconnection

FEMA's Integrated Public Alert and Warning System (IPAWS) proactively disconnected alerting authorities that originate messages through CodeRED as a precautionary measure. This further reduced emergency notification capabilities but protected the integrity of the national alert system.

Cybersecurity Analysis

Attack Vector Speculation

While OnSolve has not publicly disclosed the attack vector, INC Ransom's typical tactics include:

1. Exploiting known vulnerabilities: The group has previously exploited CVE-2023-3519 in Citrix NetScaler
2. Phishing and social engineering: Targeting employees with credential theft campaigns
3. Initial Access Brokers: Purchasing valid credentials from specialized criminals
4. RDP exploitation: Targeting weak or default passwords on publicly accessible services

Systemic Vulnerabilities

This incident highlights several systemic vulnerabilities in critical infrastructure:

Single Points of Failure: Over 10,000 jurisdictions relying on a single platform creates massive concentration risk. When that platform is compromised, thousands of communities simultaneously lose emergency notification capabilities.

Vendor Security Posture: Even FedRAMP-authorized vendors can suffer significant compromises, suggesting that compliance frameworks alone are insufficient to prevent sophisticated attacks.

Incident Response Gaps: The failure to proactively notify customers about the security incident demonstrates inadequate crisis communication protocols for a company providing public safety services.

Password Security: The potential exposure of user passwords highlights the continued prevalence of password-based authentication without additional security layers like multi-factor authentication.

Recommendations

For Affected Residents

1. Immediately change passwords associated with CodeRED accounts
2. Never reuse passwords across multiple accounts
3. Enable multi-factor authentication wherever available
4. Monitor financial accounts for suspicious activity
5. Be vigilant for phishing attempts that leverage exposed contact information
6. Sign up for alternative alert systems in your jurisdiction

For Municipalities and Emergency Management

1. Implement redundant notification systems: Never rely on a single vendor for critical emergency communications
2. Evaluate vendor security practices: Go beyond compliance certifications to assess real-world security operations
3. Require proactive incident notification: Build contractual requirements for immediate notification of security incidents
4. Test backup systems regularly: Ensure alternative communication methods are functional and staff are trained
5. Consider geographic distribution: Use vendors with distributed infrastructure to reduce concentration risk
6. Review contracts: Ensure Service Level Agreements (SLAs) include security incident response requirements
7. Develop alternative communication strategies: As Los Alamos County demonstrated, have multiple channels ready including websites, social media, radio, and federal systems
8. Accept limited control: As LA County Emergency Manager Simpson noted, "The County has limited control in how third-party organizations maintain and update their infrastructure." Plan accordingly with robust redundancy.

For OnSolve and Similar Vendors

1. Transparent incident disclosure: Provide detailed timeline and technical information about the breach
2. Proactive customer notification: Inform customers immediately when security incidents are detected
3. Enhanced monitoring: Implement advanced threat detection and response capabilities
4. Security architecture review: Conduct comprehensive assessment of why platform decommissioning was necessary
5. Incident response planning: Develop and test crisis communication protocols for security incidents
6. Zero Trust implementation: Move toward zero trust security architectures that assume breach

For Federal Oversight Bodies

1. FedRAMP review: Assess whether continuous monitoring requirements are sufficient for critical infrastructure vendors
2. Incident reporting mandates: Require FedRAMP vendors to report security incidents within specific timeframes
3. Public safety vendor standards: Develop enhanced security requirements for vendors providing life-safety services
4. Concentration risk assessment: Evaluate national security implications of single-vendor dependencies

The Broader Context

This incident is part of a disturbing trend of ransomware groups targeting critical infrastructure and public sector entities. As documented in our analysis of ransomware attacks crippling America's cities and towns, the summer of 2025 was one of the most devastating periods for municipal cybersecurity in U.S. history:

Cyberattacks on Major Healthcare Systems: Ascension Health, Corewell Health, and McLaren Health

In recent years, healthcare systems have become prime targets for cyberattacks, with significant incidents affecting major providers like Ascension Health, Corewell Health, and McLaren Health. These attacks have disrupted operations, compromised patient data, and highlighted vulnerabilities in the healthcare sector’s cybersecurity infrastructure. Ascension Health’s 2024 Ransomware Attack In May 2024,

Breached CompanyBreached Company

• Healthcare: McLaren Health Care (743,000 patients affected)
• Government: Pennsylvania Attorney General's Office (5.7TB stolen)
• Education: Multiple school districts and universities
• Emergency Services: Now including emergency notification platforms

The erosion of informal "rules" against attacking healthcare and government entities signals a more dangerous threat landscape where cybercriminals have abandoned any pretense of ethical boundaries. Recent law enforcement takedowns have disrupted several major ransomware operations, but the criminal ecosystem has shown remarkable resilience and adaptability.

Business Continuity Lessons

From a business continuity and disaster recovery perspective, this incident provides several valuable lessons:

Technology Dependencies: Organizations must identify and mitigate single points of failure in critical communication systems.

Vendor Risk Management: Third-party risk assessments must go beyond checkbox compliance to evaluate actual security capabilities and incident response maturity.

Redundancy Requirements: Mission-critical functions require redundant systems, preferably from different vendors using different technology stacks.

Testing Frequency: Backup systems must be tested regularly under realistic conditions, not just during scheduled drills.

Communication Protocols: Organizations need clear protocols for communicating with stakeholders during vendor-related incidents.

Vendor Risk Management Tool | Third-Party Risk Assessment

Comprehensive vendor risk assessment tool for CISOs and security teams. Evaluate third-party vendors across 23 security dimensions with weighted scoring and auto-recommendations.

CISO MarketplaceCISO Marketplace

Related Reading

This CodeRED incident is part of a broader pattern of cyberattacks targeting critical infrastructure and municipal governments. For additional context and related incidents, see:

• America's 911 Systems Under Siege: The Growing Cyber Threat to Emergency Services - Comprehensive analysis of cyber threats facing emergency communication centers, where 90% have experienced outages.
• The Cyber Siege: How Ransomware is Crippling America's Cities and Towns - Coverage of the devastating summer 2025 wave of municipal ransomware attacks, including Nevada's statewide shutdown and Minnesota National Guard deployment.
• City of Attleboro Under Cyber Siege: Latest in Wave of Municipal Ransomware Attacks - Recent municipal ransomware incident demonstrating how cities maintain critical services during cyber incidents.
• Major Cyber Attacks 2025: A Comprehensive Analysis - Overview of the year's most devastating data breaches and ransomware incidents across all sectors.
• Global Cybercrime Takedowns in 2025: A Year of Unprecedented Law Enforcement Action - Analysis of international law enforcement efforts against ransomware groups, including operations targeting groups like INC Ransom.

Conclusion

The OnSolve CodeRED cyberattack represents one of the most significant compromises of public safety infrastructure in recent memory. The two-week outage left millions of Americans without their primary emergency notification system during a time when severe weather, natural disasters, and other emergencies could strike without warning.

The permanent decommissioning of the platform suggests damage so extensive that remediation was impossible, a sobering testament to the sophistication of modern ransomware operations.

While OnSolve works to migrate customers to the new Crisis24 platform, affected jurisdictions must reassess their emergency communication strategies, implement redundant systems, and demand greater transparency and accountability from critical infrastructure vendors.

The incident also demands action from federal oversight bodies to strengthen security requirements and incident response protocols for vendors serving the public sector, particularly those providing life-safety services.

Perhaps most importantly, this breach should serve as a wake-up call about the concentration risk inherent in having thousands of jurisdictions dependent on a single platform. In cybersecurity, diversity is strength, and monocultures—whether in agriculture or technology—create systemic vulnerabilities that sophisticated adversaries will inevitably exploit.

Updates and Resources

CRITICAL FOR CODERED USERS: If you are currently enrolled in CodeRED emergency alerts, you may need to re-register for the new Crisis24 system. Contact your local emergency management office immediately to:

• Confirm whether your registration will be automatically migrated
• Obtain instructions for re-registering if required
• Verify your contact information is current
• Learn about alternative notification methods in your area

For Municipalities: OnSolve has not yet provided a confirmed timeline for full restoration of services on the new Crisis24 platform. Maintain backup communication methods until primary systems are fully operational and tested. Post updates on your website and social media as soon as onboarding information becomes available.

Incident Monitoring: This is a developing situation. Check with your local emergency management agencies for the most current information about notification systems in your area.

References and Additional Reading

• Jackson County Sheriff's Office public statements
• Los Alamos County Office of Emergency Management notices
• Cascade County, Montana contract termination documents
• OnSolve FedRAMP authorization announcements
• INC Ransom threat intelligence from multiple security vendors
• DataBreaches.net reporting on threat actor attribution
• Multiple municipal emergency management communications

This article was researched and written as breaking news on November 23, 2025. Information continues to develop as the incident unfolds. Check back for updates.

Disclosure: This analysis is provided for informational purposes only and does not constitute legal, regulatory, or professional advice. Organizations should consult with qualified cybersecurity professionals for specific guidance on their security posture and incident response capabilities.