Here’s something to really keep you up at night: the emergency notification system that’s supposed to alert millions of Americans about fires, floods, and evacuations just got taken offline by ransomware. That’s not cybersecurity theater—that’s actual critical infrastructure getting held hostage.
OnSolve CodeRED, operated by Crisis24, got breached by the INC Ransom gang on November 1, with ransomware deployed on November 10. The gang held the platform ransom, and when no payment materialized, they did what ransomware gangs do—they leaked customer data online and went public. The fallout? State and local governments, police departments, and fire agencies across the United States suddenly couldn’t reliably contact residents during emergencies.
Let’s be clear about what was stolen. Names, addresses, email addresses, phone numbers, and—this is the kicker—passwords in plain text. Plain. Text. In 2025. It’s like walking into a bank and finding the vault protected by a Post-it note. Worse, Crisis24 initially claimed no data had been published, but the INC Ransom crew posted screenshots showing customer credentials right there on the Tor leak site.
The response? Crisis24 decided to nuke the entire legacy CodeRED environment and rebuild from clean backups. Sounds responsible until you realize the most recent backup was from March 2025. That’s an eight-month data gap forcing emergency agencies across the country to manually recreate alert lists. Meanwhile, those agencies had to rely on slower, less reliable communication channels like social media and local news broadcasts. As a public safety mechanism, it’s borderline useless.
This incident illustrates exactly what I’ve discussed in my work on organizational cybersecurity culture and resilience—when critical infrastructure operators treat security as an afterthought, everyone pays the price. CodeRED handles some of the most important communications in disaster response. The fact that it was vulnerable enough to be compromised demonstrates systemic negligence in security architecture.
INC Ransom has a history here too. They’ve targeted hospitals, governments, and major organizations globally. They’re ransomware-as-a-service operators running a business model optimized for profit extraction. What changed was their target—they went after public safety infrastructure. That’s a line being crossed.
Organizations running critical infrastructure need to start operating under the assumption that compromise is inevitable. Build your defenses with immutable backups, advanced endpoint detection, and 24/7 monitoring. Assume your network is already inside the walls and plan accordingly.
