INC Ransom Attack Disrupts US Emergency Alerts, Exposes Clear-Text Passwords
The CodeRED alert platform operated by OnSolve and maintained by the risk-management firm Crisis24 has fallen victim to a major cyberattack — an incident that disrupted emergency-notification systems relied upon by government agencies and first responders across the United States, while simultaneously resulting in the exposure of citizens’ personal data.
Crisis24 reports that the attack affected only the CodeRED environment, leaving the company’s other systems untouched. Nonetheless, containing the breach required decommissioning the platform’s legacy infrastructure. This forced shutdown interrupted the delivery of emergency alerts — including severe-weather warnings and critical public-safety notifications used by local administrations, police departments, and fire services.
During the investigation, Crisis24 confirmed that the attackers managed to exfiltrate a substantial portion of the platform’s data. The stolen information includes names, mailing addresses, email addresses, phone numbers, and passwords associated with CodeRED user profiles. Although the company claims that no signs of public release have been observed, the reality is not quite so reassuring.
The attack was likely carried out by the ransomware group INC Ransom. On its Tor-based leak site, the group published a dedicated entry for OnSolve, releasing screenshots containing samples of client data — including email addresses and passwords displayed in plain text.
According to the group’s statement, they infiltrated OnSolve’s infrastructure on 1 November 2025, encrypted files on 10 November, and, after the refusal to pay ransom, proceeded to sell the stolen data.
Due to the extent of the damage, CodeRED’s infrastructure is now being restored from a backup under the new platform, CodeRED by Crisis24. The available backup is dated 31 March 2025, meaning that some user accounts and recent changes may not be present in the rebuilt system. Local government bodies and public-safety agencies across the country have already begun reporting efforts to return their alert systems to normal operation.
Because some of the exposed passwords were stored in unencrypted form, CodeRED users are strongly urged to change their login credentials wherever the same combinations may have been reused.
INC Ransom operates under the ransomware-as-a-service (RaaS) model and has been active since July 2023. During this time, the group has attacked organizations worldwide, compromising educational and medical institutions, government entities, and major businesses — including Yamaha Motor Philippines, the Scottish National Health Service, retailer Ahold Delhaize, and the U.S. division of Xerox Business Solutions.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
