Crisis24 Shuts Down CodeRED Emergency System Following Ransomware Breach
Executive Summary
In early June 2024, Crisis24 permanently shut down its OnSolve CodeRED emergency notification system after a ransomware attack severely damaged the platform's environment. The incident, attributed to the INC ransomware group, involved unauthorized access to and exfiltration of user data, including names, addresses, email addresses, phone numbers, and passwords. Forensic analysis indicated the attack was contained within the legacy CodeRED environment. The shutdown left dozens of municipalities and law enforcement agencies temporarily without emergency notification services, though the U.S. government's Emergency Alert System was unaffected. Crisis24 accelerated rollout of its new platform, conducted a security audit, and notified law enforcement.
This breach underscores the increasing risk posed by ransomware groups targeting public safety infrastructure. With attackers leaking sensitive personal data and causing operational disruptions, organizations face mounting pressure to modernize legacy systems and enhance both incident response and segmentation controls in light of sophisticated, persistent threats.
Why This Matters Now
Public safety platforms are now prime targets for ransomware, amplifying risks to critical infrastructure and personal data. The incident highlights the urgent need to secure legacy environments, implement rapid segmentation, and proactively address vulnerabilities before attackers exploit them—especially as threat groups intensify campaigns on essential service providers.
Attack Path Analysis
The attackers initially compromised the legacy CodeRED environment, likely via exposed credentials or application vulnerabilities. Once inside, they escalated privileges to gain broader access within the environment. The threat actors then conducted lateral movement, exploring additional hosts and workloads for valuable data and backup systems. Establishing command and control, they maintained persistence and orchestrated data collection. They then exfiltrated personally identifiable information (PII) from the environment, leading to public data leakage. Finally, the attackers deployed ransomware, disrupting platform operations and forcing permanent decommission of the emergency notification system.
Kill Chain Progression
Initial Compromise
Description
Attackers infiltrated the legacy CodeRED environment, likely abusing compromised credentials or exploiting an undisclosed vulnerability.
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
User Execution
Data Encrypted for Impact
Data Manipulation: Stored Data Manipulation
Data from Local System
Data from Cloud Storage Object
Transfer Data to Cloud Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Controls
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Incident Notification
Control ID: 500.17(a)
NIS2 Directive – Security of Networks and Information Systems
Control ID: Art. 21(2)(d)
DORA – ICT Risk Management
Control ID: Art. 10
CISA ZTMM 2.0 – Multi-factor Authentication and Credential Management
Control ID: Identity Pillar – Identity Assurance
ISO/IEC 27001:2022 – Information Security Incident Management
Control ID: A.5.25
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Emergency notification systems compromised by ransomware expose critical public safety communications, requiring enhanced egress security and threat detection capabilities.
Law Enforcement
CodeRED system breach disrupts emergency response coordination, highlighting need for zero trust segmentation and encrypted traffic protection in public safety.
Public Safety
Ransomware attack on Crisis24 platform demonstrates vulnerability of emergency alert systems, necessitating multicloud visibility and anomaly detection implementation.
Information Technology/IT
Legacy system compromise reveals inadequate east-west traffic security and policy enforcement, requiring cloud native security fabric for notification platforms.
Sources
- Crisis24 shuts down emergency notification system in wake of ransomware attackhttps://cyberscoop.com/crisis24-onsolve-codered-emergency-system-ransomware/Verified
- Cyber Attack on Crisis24’s OnSolve CodeRED Emergency Alert Systems Disrupts Public Safety Serviceshttps://www.cpomagazine.com/cyber-security/cyber-attack-on-crisis24s-onsolve-codered-emergency-alert-systems-disrupts-public-safety-services/Verified
- INC ransomware rebrands to Lynx, say security researchershttps://www.theregister.com/2024/10/11/inc_ransomware_lynx/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust controls—including segmentation, lateral movement prevention, encrypted traffic enforcement, robust egress policies, and threat detection—would have isolated environments, reduced attack surface, and quickly detected malicious activity, greatly containing or preventing this attack.
Control: Multicloud Visibility & Control
Mitigation: Anomalous access would be rapidly detected and investigated.
Control: Zero Trust Segmentation
Mitigation: Prevents attackers from gaining unnecessary access by enforcing least privilege.
Control: East-West Traffic Security
Mitigation: Lateral movement is contained via workload-to-workload segmentation.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or detects suspicious outbound C2 traffic.
Control: Cloud Firewall (ACF)
Mitigation: Prevents unauthorized data exfiltration via policy controls.
Enables rapid detection of ransomware activity and abnormal file/system behavior.
Impact at a Glance
Affected Business Functions
- Emergency Notification Services
- Public Safety Communications
Estimated downtime: 14 days
Estimated loss: $500,000
Personal information including names, addresses, email addresses, phone numbers, and passwords of CodeRED users were compromised and leaked online.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy identity-based Zero Trust segmentation to isolate legacy platforms and enforce least-privilege access.
- • Implement comprehensive east-west and egress traffic inspection to contain movement and block C2 and data exfiltration.
- • Enforce robust encryption policies for data in transit and at rest to protect sensitive information.
- • Leverage continuous monitoring, threat detection, and anomaly response to detect and contain breaches early.
- • Regularly review and update cloud firewall, segmentation, and visibility controls in line with evolving threat tactics.
