Full Report
Regions across US affected, and one tore up its contract for the product Towns and cities across the US are without access to their CodeRED emergency alert system following a cyberattack on vendor Crisis24.…
Analysis Summary
# Incident Report: Ransomware Attack on CodeRED Emergency Alert System
## Executive Summary
The CodeRED emergency alert system, managed by vendor Crisis24, suffered a debilitating cyberattack attributed to the INC ransomware group, leading to widespread outages impacting towns and cities across the US. The attack resulted in the exfiltration of personal data belonging to alert recipients. Crisis24 has been working to restore service via a new, audited platform while some impacted municipalities have terminated their contracts.
## Incident Details
- Discovery Date: Cannot be precisely determined from the article, but actions taken suggest detection occurred shortly before customer notifications (mid to late November 2025).
- Incident Date: Attackers gained initial access on November 1, 2025; file encryption occurred on November 10, 2025.
- Affected Organization: Crisis24 (Vendor for OnSolve CodeRED platform).
- Sector: Emergency Notification/Government Support Services.
- Geography: Regions across the United States.
## Timeline of Events
### Initial Access
- Date/Time: November 1, 2025
- Vector: Undisclosed (Implied exploitation or compromise facilitating access for an affiliate).
- Details: INC ransomware affiliate gained initial access to Crisis24’s network.
### Lateral Movement
- **Date/Time:** November 1 to November 10, 2025
- **Vector:** Not specified, but implied successful reconnaissance and movement leading to encryption deployment.
### Data Exfiltration/Impact
- **Date/Time:** Occurred sometime between initial access and November 10th, 2025.
- **Impact:** Personal data, including names, addresses, email addresses, phone numbers, and account passwords, was stolen. The primary impact was service disruption of the CodeRED emergency alert system.
- **Encryption:** System files were encrypted on November 10, 2025.
### Detection & Response
- **Detection:** Implied detection by Crisis24 leading to subsequent customer notifications.
- **Response actions taken:** Crisis24 engaged in ransom negotiations (initial demand of $950k, later reduced to $450k; Crisis24 offered up to $150k, which was rejected). Crisis24 initiated the development/migration to a new, separate CodeRED platform validated via security audits and penetration testing. Customers were advised to change passwords.
## Attack Methodology (Inferred based on Ransomware Activity)
- **Initial Access:** Unknown, likely exploitation or compromise allowing affiliate entry on Nov 1.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified, but successful enough to deploy encryption after 9 days.
- **Credential Access:** Implied, necessary to steal user data (names, emails, passwords).
- **Discovery:** Implied, based on the volume of data potentially accessed and exfiltrated.
- **Lateral Movement:** Implied, to map and encrypt systems.
- **Collection:** Names, addresses, email addresses, phone numbers, and passwords of CodeRED users were collected.
- **Exfiltration:** Data was stolen prior to encryption; the threat actor later leaked a snippet on their dark web blog.
- **Impact:** Operational disruption of emergency alerting; data breach notification requirement.
## Impact Assessment
- **Financial:** Ransom negotiation attempts occurred ($100k–$150k initially offered by Crisis24 against a $450k demand). Specific final costs are unknown.
- **Data Breach:** Personal identifying information (PII) including names, addresses, phone numbers, email addresses, and passwords of CodeRED users were stolen.
- **Operational:** Widespread outage of the CodeRED emergency alert system across affected US regions. Municipalities resorted to social media and door-to-door communication for critical alerts.
- **Reputational:** Significant reputational damage, leading at least one jurisdiction (Douglas County, CO) to terminate its contract with Crisis24.
## Indicators of Compromise
- **Network indicators:** Not specified/Defanged.
- **File indicators:** Not specified/Defanged (Mentioned file encryption on Nov 10).
- **Behavioral indicators:** Evidence of lengthy dwell time (Nov 1 to Nov 10), active data exfiltration, and negotiation with a known ransomware group (INC).
## Response Actions
- **Containment measures:** Decommissioning of the compromised CodeRED account/environment (as done by University Park, TX). Advised all users to change CodeRED passwords, especially if reused elsewhere.
- **Eradication steps:** Migration to a secured, separate, fully audited platform for the new CodeRED system deployment.
- **Recovery actions:** Utilizing alternative alert methods (social media, door-to-door) while new platform deployment is underway.
## Lessons Learned
- **Vendor Supply Chain Risk:** A critical infrastructure vendor (emergency alerts) suffered a major breach, demonstrating the inherent risk in relying on third-party software for essential public safety functions.
- **Ransomware Negotiation:** Direct negotiation by the vendor proved unsuccessful; the threat actor pursued data leakage/sale instead of payment.
- **Impact of Credential Reuse:** The incident highlighted the necessity of strong password hygiene, as user passwords were stolen, posing a risk if reused across other services.
## Recommendations
- **Platform Segmentation:** Crisis24 migrating to a "non-compromised, separate environment" validates the need for strict environmental segmentation for critical services.
- **Multi-Factor Authentication (MFA):** Immediate enforcement of MFA for all customer accounts accessing the system, particularly since user passwords were stolen.
- **Enhanced Third-Party Risk Management (TPRM):** Municipalities using similar services must conduct deeper security audits of their critical vendors, not just rely on general service level agreements.
- **Incident Communication:** Develop pre-approved communication templates for immediate, transparent notification of critical service outages and data breaches.