Executive Summary

A significant ransomware attack attributed to the Inc Ransom group has crippled the OnSolve CodeRED emergency notification system, a platform used by hundreds of local government and law enforcement agencies across the United States. The attack, which involved both data encryption and exfiltration, has forced the vendor to decommission the affected legacy platform, leading to widespread service disruptions. This incident highlights the vulnerability of critical public safety infrastructure to cyberattacks and the severe real-world consequences, as municipalities are left without a primary tool for issuing urgent alerts for events like natural disasters, active threats, and missing person reports. The attackers claim to have stolen user data after a ransom negotiation for $100,000 failed, escalating the incident from disruption to a significant data breach.

Threat Overview

The attack was initiated on November 1, 2025, when the Inc Ransom group claims to have first gained access to OnSolve's network. The ransomware payload was deployed on November 10, encrypting systems and disrupting the legacy CodeRED platform. On November 22, Inc Ransom publicly listed OnSolve on its data leak site, claiming responsibility and stating that negotiations with the vendor had failed.

The primary impact is the loss of a critical public communication channel for numerous communities. Local governments in states including Massachusetts, Colorado, Texas, Florida, and California have publicly acknowledged the outage. The compromised data includes sensitive Personally Identifiable Information (PII) of registered users, such as names, physical addresses, email addresses, phone numbers, and hashed passwords. Crisis24, OnSolve's parent company, has confirmed the data exfiltration and is in the process of migrating customers to a new, unaffected platform, but the transition has been disruptive.

Technical Analysis

The attack follows a typical double-extortion ransomware model. While the exact initial access vector has not been disclosed, it likely involved common methods such as phishing, exploitation of a public-facing vulnerability, or compromised credentials.

MITRE ATT&CK Techniques Observed or Inferred:

• Initial Access: Likely T1190 - Exploit Public-Facing Application or T1078 - Valid Accounts.
• Execution: T1059.001 - PowerShell is commonly used by ransomware groups for execution and lateral movement.
• Persistence: Attackers may have used T1547.001 - Registry Run Keys / Startup Folder to maintain their foothold.
• Defense Evasion: T1490 - Inhibit System Recovery by deleting shadow copies is a standard ransomware tactic.
• Credential Access: T1003 - OS Credential Dumping would have been used to harvest credentials for lateral movement.
• Exfiltration: T1048 - Exfiltration Over Alternative Medium was used to steal user data before encryption.
• Impact: T1486 - Data Encrypted for Impact was the final stage, rendering the CodeRED system inoperable.

Impact Assessment

The operational impact is severe. The inability to issue emergency alerts poses a direct risk to public safety. For example, a community could be unable to warn residents of a fast-moving wildfire, a chemical spill, or an active shooter situation. This erodes public trust in emergency services and local government. Financially, OnSolve faces costs related to incident response, platform migration, potential regulatory fines for the data breach, and loss of revenue as frustrated customers consider alternative providers. Affected municipalities must scramble to find and implement replacement notification systems, incurring unexpected costs and creating a temporary gap in their emergency response capabilities. The breach of user PII also exposes affected individuals to risks of identity theft, phishing, and other forms of fraud.

IOCs

No specific Indicators of Compromise (IOCs) such as file hashes or C2 domains were provided in the source articles.

Cyber Observables for Detection

Security teams should hunt for TTPs associated with Inc Ransom and similar ransomware groups:

Detection & Response

• EDR/XDR: Deploy and monitor EDR solutions to detect ransomware behaviors such as rapid file encryption, deletion of shadow copies (D3-PA: Process Analysis), and suspicious process execution from tools like PsExec or WMI.
• Network Monitoring: Implement D3-NTA: Network Traffic Analysis to baseline normal traffic patterns and alert on anomalous outbound data flows that could indicate exfiltration. Pay close attention to traffic from critical servers to unfamiliar destinations.
• Log Analysis: Centralize and analyze logs from critical systems. Look for patterns of failed and successful logins from unusual geo-locations or at odd hours. Monitor for the creation of new administrative accounts.
• Canary Files: Place decoy files (honeypots) on file shares. Configure alerts to trigger if these files are accessed or encrypted, providing an early warning of a ransomware attack in progress (D3-DO: Decoy Object).

Mitigation

• Backup and Recovery: Maintain immutable, offline backups of critical data and systems. Regularly test restoration procedures to ensure they are effective in a real-world incident.
• Network Segmentation: Implement robust D3-NI: Network Isolation to separate critical infrastructure environments from corporate networks. Restrict east-west traffic to prevent attackers from moving laterally.
• Access Control: Enforce the principle of least privilege. Implement strong password policies and mandate Multi-Factor Authentication (MFA) for all remote access, privileged accounts, and critical system logins.
• Patch Management: Aggressively patch internet-facing systems and critical vulnerabilities, especially those known to be exploited by ransomware groups. Prioritize patching of VPN concentrators, firewalls, and remote access solutions.