CodeRED emergency alert system CodeDEAD after INC ransomware attack

November 26, 2025 TH Author

Towns and cities across the US are without access to their CodeRED emergency alert system following a cyberattack on vendor Crisis24.

Various municipalities have issued near-identical advisories about the attack on the OnSolve CodeRED platform, now owned by Crisis24, which enables residents to receive real-time alerts for emergencies such as weather warnings, missing children, terror threats, and more.

In its warning about the situation to locals, the Sheriff’s Office for Douglas County, Colorado, this week announced it had terminated its CodeRED contract and that it was actively searching for a replacement.

The wording of similar disclosures made by other regions suggests they will be sticking with Crisis24 as it works to bring a brand-new CodeRED platform online, which was being developed before the attack.

Crisis24 told customers that the new platform “resides on a non-compromised, separate environment,” which has undergone “a comprehensive security audit” and “additional penetration testing and hardening.”

“While the city’s CodeRED account has been decommissioned, staff is working with the vendor to migrate to a new emergency alert platform,” said the City of University Park, Texas.

“Please know that protecting your personal information is our highest priority, and we are committed to safeguarding your data by working with vendors who provide secure, reliable systems.”

While they wait for the new platform to come online, most of the affected areas across the country have resorted to issuing the same emergency notifications via social media or door-to-door communication if necessary.

Their residents have also been advised to change their CodeRED passwords. According to Crisis24’s communcations with customers, among the data stolen by the criminal group were names, addresses, email addresses, phone numbers, and passwords used to create CodeRED accounts.

The City of O’Fallon, Missouri, said: “Not all recipients of CodeRED alerts elected to create a full profile; however, if that was chosen and if the same password is used for any other personal or business accounts, it is strongly recommended that those passwords should be changed.”

According to their notices, Crisis24 handed its customers an FAQ, which most have published verbatim at the end of their respective advisories.

The fact sheet states that the attack is limited to CodeRED and that no other customer systems should be considered compromised.

Under the “Why did this happen?” section of the FAQ, Crisis24 said: “Unfortunately, there have been rising cybersecurity risks and penetrations across many organizations as of late.”

When the company informed customers of the attack, it also said there was no indication that the stolen data was leaked online, but warned that this may not remain true.

The INC ransomware group has claimed responsibility for the attack and leaked a purported snippet of the stolen data on its dark web blog.

As part of its pressure campaign against Crisis24 to pay the ransom, INC appears to have released a portion of the negotiation history between it and the vendor.

If genuine, the chat logs suggest INC’s initial ransom demand was originally set at $950,000 but later reduced to $450,000. The logs also suggest that Crisis24 offered an initial $100,000 payment, and later upped it to $150,000, which INC rejected.

INC further alleged that its affiliate gained access to Crisis24’s network on November 1, and encrypted its files on November 10.

In lieu of a ransom payment, the cybercrime crew said it will sell the data it stole instead.

The Register contacted Crisis24 for additional information, but it did not respond immediately. ®