Full Report
It’s easy to forget that just because a news cycle may be about 15 minutes, incident response is much longer. The following is an update from St. Mary’s County in Maryland about the CodeRED emergency systems ransomware attack that affected numerous EMS systems throughout the country. The attack had occurred in CodeRED’s legacy OnSolve environment... Source
Analysis Summary
# Incident Report: CodeRED Emergency Systems Ransomware Attack
## Executive Summary
A ransomware attack, claimed by INC Ransom, targeted CodeRED's legacy OnSolve emergency notification environment starting October 31, 2025. The attack resulted in the deployment of ransomware on November 10, forcing system downtime for approximately two weeks, which impacted numerous Emergency Medical Services (EMS) systems relying on the platform. Limited, outdated subscriber data was exposed, but no sensitive PII such as names or addresses were compromised.
## Incident Details
- Discovery Date: Not explicitly stated, but response actions began around the ransomware deployment on November 10, 2025.
- Incident Date: Initial compromise occurred on October 31, 2025.
- Affected Organization: CodeRED (legacy OnSolve environment).
- Sector: Emergency Notification Systems / Public Safety Communications.
- Geography: Multiple US entities utilizing CodeRED services, with specific updates provided by St. Mary’s County, Maryland.
## Timeline of Events
### Initial Access
- Date/Time: October 31, 2025
- Vector: Initial access method is not explicitly detailed in the provided text.
- Details: Attack occurred within CodeRED's legacy OnSolve environment.
### Lateral Movement
- Details: Not detailed, but the attack progressed to ransomware deployment within the environment.
### Data Exfiltration/Impact
- Date/Time: Ransomware deployed on November 10, 2025.
- Details: Limited subscriber information across two datasets was exposed. One set contained usernames, phone numbers, and *inactive, outdated passwords* (deactivated in 2015). The second set contained usernames with *encrypted, unreadable passwords* (no evidence encryption keys were accessed). INC Ransom leaked some data they claimed to be selling.
### Detection & Response
- Details: The impact included the CodeRED system being unavailable for approximately two weeks, requiring affected entities to use alternative means for emergency warnings. OnSolve negotiated with the threat actors but ultimately did not pay the ransom. The platform was subsequently decommissioned and replaced by CodeRED by Crisis24.
## Attack Methodology
- Initial Access: Unknown (Specific vector not provided).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Implied access to usernames and potentially hashed passwords (though some passwords were 10 years old and inactive).
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Access and exfiltration of two limited user data sets.
- Exfiltration: Claimed by INC Ransom, involving older user authentication data.
- Impact: Deployment of ransomware causing operational outages for emergency notification services.
## Impact Assessment
- Financial: Negotiations occurred, ransom was not paid. Costs associated with platform migration/decommissioning not specified.
- Data Breach: Limited user data exposed: Usernames, phone numbers, and outdated/inactive passwords (deactivated in 2015). **Crucially, no first/last names, addresses, or active passwords were included.**
- Operational: Affected numerous EMS systems for approximately two weeks, forcing reliance on alternative emergency warning systems.
- Reputational: Customers were reportedly unhappy with OnSolve's communication during the crisis, leading some to change vendors.
## Indicators of Compromise
- Network indicators: Not provided.
- File indicators: Ransomware deployed (Specific malware signature unknown).
- Behavioral indicators: Unauthorized deployment of ransomware on November 10th.
## Response Actions
- Containment measures: Unspecified, but system was taken offline, leading to the decommissioning of the legacy OnSolve platform.
- Eradication steps: The legacy OnSolve environment was ultimately decommissioned and replaced.
- Recovery actions: Systems were brought back online using the successor platform (CodeRED by Crisis24) after approximately two weeks of disruption.
## Lessons Learned
- Legacy platform risk: The incident occurred within the legacy OnSolve environment, indicating potential risks associated with maintaining older infrastructure.
- Vendor communication: Communication during the crisis was deemed insufficient by some customers, impacting immediate and long-term relationships.
- Data retention: Exposure involved very old, outdated credentials (pre-2015), highlighting the importance of timely data lifecycle management.
## Recommendations
- Immediately decommission and migrate/replace any legacy infrastructure hosting critical services (like emergency notification systems).
- Review and enhance communication protocols for incident response to ensure timely and effective updates to impacted stakeholders.
- Ensure robust credential hygiene, including immediate invalidation of passwords associated with migrated platforms during older system shutdowns.