INC Ransomware Claims Responsibility For CodeRED Attack

The recent cyberattack on the OnSolve CodeRED system has shocked public safety agencies across the United States, revealing the deep vulnerability of critical emergency-alert infrastructure. The incident was claimed by the INC Ransomware gang, a relatively new, but increasingly active, ransomware-as-a-service (RaaS) threat actor.

The implications of this breach extend far beyond data theft; for a time, entire communities lost access to emergency notifications intended to warn them about disasters, weather events, evacuations, or other urgent threats.

In early November 2025, the CodeRED platform began to malfunction. According to incident reports, attackers allegedly gained access to the system on November 1, 2025, and by November 10, files within the platform had been encrypted.

Within a few days following the encryption event, the issues became widespread: cities and counties across the US discovered they could no longer send emergency alerts. Agencies relying on CodeRED for tornado warnings, evacuation notices, AMBER alerts, water service disruptions, and other critical notifications abruptly lost a vital communication channel.

Following the attack, Crisis24, the parent or associated company of OnSolve, decommissioned the legacy CodeRED environment. The company confirmed the attackers stole usernames, addresses, email addresses, phone numbers, and passwords for CodeRED user profiles.

Although Crisis24 stated that forensic analysis shows the breach was "contained strictly within the CodeRED environment," the damage was sufficiently severe that they opted to rebuild the service from a clean backup — a version dating back to March 31, 2025. That means many user accounts registered after that date could be lost when the system comes back online.

Widespread disruption followed. Counties such as Belmont County in Ohio reported that nearly 11,000 residents may have had their personal data and passwords stolen. Multiple local agencies have ended their contracts with CodeRED, citing a loss of trust and the inability to guarantee a reliable emergency notification service.

INC Ransomware's Code Red for Defenders

INC Ransom emerged in mid-2023. As a RaaS operation, it provides malicious payloads, infrastructure, and leak sites for affiliates who carry out attacks. Its hallmark is a double-extortion model. First, attackers infiltrate a network, often using known vulnerabilities, as was famously the case when threat actors exploited CVE-2023-3519 in Citrix NetScaler. They then exfiltrate sensitive data and finally encrypt files. If the ransom is not paid, they threaten to publish the stolen data on dark-web leak sites.

INC Ransom is capable of targeting both Windows and Linux/ESXi environments. Its approach often involves legitimate tools for lateral movement along with evasion tactics, making detection harder and increasing the chances of a successful breach. In some cases, the group even offered its source code for sale on hacking forums, an act that suggests internal fractures or plans to evolve into a new version with a changed encryption algorithm.

Over the past two years, INC Ransom has amassed a growing and alarming list of high-profile victims across various sectors, including healthcare, manufacturing, government, retail, and education.

Among the most egregious:

• A breach of Ahold Delhaize, a global food retail giant. In November 2024, the company's U.S. business systems were compromised. INC Ransom later added the company to its dark-web leak site and posted samples of stolen internal documents. In mid-2025, Ahold Delhaize admitted to experiencing a data breach and confirmed that certain files had been stolen.
• An attack on the Pennsylvania Office of the Attorney General (PA OAG) in August 2025 which reportedly resulted in the theft of about 5.7 terabytes of sensitive files. The group claimed this breach provided them access to even more sensitive "internal" networks.
• The targeting of Yamaha Motor Philippines (YMPH), a subsidiary of a major international manufacturer. The group disclosed roughly 37 GB of data allegedly stolen, including employee IDs, corporate files, and backups.
• Prior public disclosures by INC Ransom of attacks against, among others, NHS Scotland, government agencies such as the Panama Ministry of Economy and Finance, educational institutions, and various organizations in manufacturing and non-profit sectors.

These attacks demonstrate that INC Ransom does not hesitate to target critical infrastructure or large institutions with sensitive data. Its victims range from public safety systems and government agencies to healthcare, retail, and other private industries.

The group's tactics, including exploiting known vulnerabilities, utilizing legitimate administrative tools for stealthy lateral movement, and relying on double extortion, demonstrate a high level of sophistication. Their decision to publicly leak data, even from vital public-service platforms, signals a worrying shift: ransomware groups are now willing to inflict widespread societal harm, not just corporate pain.

The breach of CodeRED by INC Ransom marks a critical juncture in cybersecurity. For years, ransomware attacks mostly targeted corporations, but this incident shows that even systems meant to protect life and property are now in the crosshairs.

Governments, emergency services, and other public safety organizations often rely on outsourced or vendor-managed systems for critical functions, such as alerting populations during disasters, natural events, or civil emergencies. When those systems are compromised, the consequences are not just financial, but potentially life-threatening.

The attack underscores several serious systemic vulnerabilities:

• Single point of failure: Thousands of municipalities across the United States depended on a single platform. When that platform failed, the failure was nationwide.
• Vendor risk concentration: Outsourcing essential public-safety functions to a single vendor meant that a breach at the vendor level translated into a nationwide outage.
• Weak data protection: The exposure of names, addresses, phone numbers, and passwords — potentially reused across other accounts — poses a broader risk of identity theft, credential stuffing, and other downstream abuses.
• Lack of redundancy: Many jurisdictions suddenly found themselves without any automated alert system, relying on backup channels such as social media, local media, or manual notifications — methods that may be far less reliable in an emergency.

In the aftermath, communities will likely re-evaluate their dependence on monolithic vendors and push for more resilience, redundancy, and transparency.

As the world grapples with digital transformation and an increasing dependency on centralized services, the CodeRED incident serves as a stark reminder: security must be built in from the ground up, redundancy must be incorporated into critical systems, and vendor management must include rigorous accountability. Otherwise, the next strike may hit even closer to home, and possibly when lives are on the line.