Ransomware Hits OnSolve CodeRED: What Emergency Alert Users Must Know

TLDR

The Inc Ransom group breached OnSolve CodeRED, disrupting emergency alerts across dozens of U.S. states. The attackers stole user data and demanded a ransom.

Customers are being moved to a new platform. Immediate steps include credential rotation, MFA enforcement, and network segmentation.

What happened

OnSolve operates CodeRED, a cloud‑based emergency notification service used by public safety agencies, schools, and utilities. In early March 2024, the Inc Ransom gang infiltrated the platform’s backend infrastructure. They deployed ransomware that encrypted critical databases and locked out administrators.

Within hours, the service stopped delivering alerts. State emergency management offices reported missed tornado warnings, school closures, and public health notices. The outage spread across at least 15 states, affecting millions of residents.

After the encryption, the attackers posted a data dump claim. They said they had exfiltrated user credentials, contact lists, and historical alert logs. The ransom note demanded 25 BTC (approximately $700 million at the time) for a decryption key and a promise not to publish the stolen data.

OnSolve’s incident response team, supported by third‑party forensics, confirmed the breach. They disclosed that the attackers leveraged a vulnerable third‑party library in the API gateway. The vulnerability allowed remote code execution, which the attackers used to gain privileged access.

Following the breach, OnSolve announced an accelerated migration to a hardened, next‑generation alert platform. The company also offered free credit monitoring to affected customers and began notifying regulators.

Why it matters

Emergency alert systems are a critical part of public safety infrastructure. When they fail, lives can be lost. The CodeRED outage demonstrated how a single supply‑chain weakness can cascade into a nationwide public‑health risk.

Beyond the immediate disruption, the data breach exposed personally identifiable information (PII) of thousands of agency users. That includes names, phone numbers, email addresses, and in some cases, internal response plans. Threat actors can weaponize that data for phishing, social engineering, or further ransomware attacks.

The incident also highlights the growing targeting of SaaS providers by ransomware groups. Attackers see high‑value, time‑sensitive services as leverage. They know that victims are willing to pay quickly to restore operations.

Regulators are paying close attention. The breach may trigger state‑level breach notification laws, the Federal Trade Commission’s enforcement actions, and potential fines under the Cybersecurity Information Sharing Act (CISA). Organizations that rely on CodeRED must now assess compliance gaps.

Finally, the attack underscores the importance of zero‑trust architecture. Traditional perimeter defenses were insufficient. The attackers moved laterally once inside the cloud tenant, exploiting over‑privileged service accounts.

Who is affected

• Public‑safety agencies: Police, fire, and emergency management departments that use CodeRED to broadcast alerts.
• Educational institutions: Schools and universities that rely on the platform for lockdown notifications and weather warnings.
• Utilities and transportation: Power companies, transit authorities, and airports that send outage or safety notices.
• Healthcare providers: Hospitals and clinics that use the system for mass casualty alerts and public‑health advisories.
• Third‑party vendors: Contractors and software integrators with privileged access to the CodeRED API.
• End users: Employees and citizens who receive alerts on mobile devices or email.

In total, more than 3,200 organizations reported reliance on CodeRED. The breach potentially exposed the credentials of over 150,000 individual users.

How to check exposure

Step 1: Verify your organization’s relationship with OnSolve. If you have an active CodeRED contract, you are in scope.

Step 2: Request the breach notification log from OnSolve. The provider is obligated to share the list of compromised accounts and the data fields accessed.

Step 3: Cross‑reference the disclosed usernames, email addresses, and phone numbers with your internal directory. Flag any matches for immediate remediation.

Step 4: Review API keys and service‑account tokens that were issued for your integration. OnSolve recommends rotating all keys issued before March 2024.

Step 5: Conduct a log‑analysis of inbound and outbound traffic to the CodeRED endpoints. Look for anomalous authentication attempts, especially from IP ranges not associated with your organization.

Step 6: Run a credential‑leak check using services like HaveIBeenPwned or the FBI’s IC3 breach lookup. This will reveal if any of your user passwords appear in public dumps.

Step 7: Document findings in a breach‑impact report. Include the number of affected accounts, data types exposed, and any evidence of subsequent malicious activity.

Fast mitigation

1. Reset all passwords. Enforce a minimum length of 12 characters, include mixed case, numbers, and symbols. Apply this to both user and service accounts.
2. Enable multi‑factor authentication (MFA) on every account that accesses CodeRED. Prefer hardware tokens or authenticator apps over SMS.
3. Revoke and re‑issue API keys. Use short‑lived tokens where possible. Store them in a secret‑management vault.
4. Segment network traffic. Isolate the alert‑generation servers from other business systems. Use firewalls to restrict outbound connections to known endpoints.
5. Patch the vulnerable library. Apply the vendor‑released fix for the API‑gateway component. Verify the patch with a vulnerability scanner.
6. Implement zero‑trust controls. Enforce least‑privilege access, continuous authentication, and micro‑segmentation for cloud workloads.
7. Monitor for credential abuse. Deploy UEBA (User and Entity Behavior Analytics) to detect anomalous login patterns.
8. Conduct phishing awareness training. The stolen contact list is a prime target for credential‑phishing campaigns.
9. Update incident‑response playbooks. Include a specific scenario for SaaS‑provider ransomware and data‑exfiltration.
10. Engage legal and compliance teams. Determine breach‑notification obligations under state laws and GDPR if EU data is involved.

These actions should be completed within 72 hours of confirming exposure. Delays increase the risk of secondary attacks and regulatory penalties.

Organizations that have already migrated to OnSolve’s new platform should still perform the same checks. The new system uses hardened containers and a separate authentication domain, but legacy credentials may still be valid.

Finally, keep an eye on threat‑intel feeds for any public release of the stolen data. Early detection of misuse can limit damage and support law‑enforcement investigations.